September 23, 2013 is the deadline by which group health plans and business associates must comply with the HIPAA Final Rules that were published January 25th of this year. Two of the action items include updating the Notice of Privacy Practices (NOPP) and the Business Associate Agreements (BAAs). A third change is the expanded presumption of when a breach of unsecured PHI occurs, which requires the plan (sponsor) to notify affected individuals. This article explains these requirements.
Notice of Privacy Practices (NOPP)
The final rule includes special distribution rules for health plans and also requires that specific additional information be included in NOPPs.
- Posting on Website. If the group health plan has a website (or the plan sponsor has a benefits portal), the revised NOPP (or an explanation of the material changes to the NOPP) must be prominently posted on this website by September 23, 2013.
- If No Website. If the group health plan does not have its own website, the notice (or an explanation of the material changes to the NOPP) must be delivered to participants by November 23, 2013.
- Next Annual Mailing. In addition to the website posting, the group health plan (sponsor) also must include the revised NOPP (or an explanation of the material changes and instructions on how to obtain a hard copy of the revised NOPP) in its next annual mailing (i.e. open enrollment). This must be sent to current plan participants. The annual mailing may be sent electronically (e.g., via email), if the plan (sponsor) complies with the ERISA electronic distribution rules that apply to summary plan descriptions.
- Request by Participant. If a plan participant requests a copy of the NOPP, the health plan (sponsor) must provide the revised NOPP no later than September 23, 2013.
Required Changes to NOPP
- Breach. NOPP must state that the group health plan must notify affected individuals in the event of a breach of unsecured PHI
- Authorizations. NOPP must include a statement that the individual’s authorization is required for:
- Most uses or disclosures of psychotherapy notes
- Uses or disclosures of PHI for marketing purposes
- Disclosures that are considered a sale of PHI
- Use of Genetic Information. If the group health plan intends to use PHI for underwriting purposes, the NOPP must include a statement that the plan cannot use an individual’s genetic information for underwriting purposes, including eligibility, enrollment, cost-sharing, setting premium or contribution amounts, or wellness program incentives. This incorporates requirements under the Genetic Information Nondiscrimination Act (GINA).
- Fundraising: If a covered entity intends to contact people for fundraising purposes, the NOPP must notify individuals of this and inform them of their right to opt out of fundraising communications. This is more likely to apply to a hospital, not to a group health plan.
- Restriction on Uses and Disclosures. Although this change applies only to NOPPs provided by health care providers (not by health plans), it may be of interest to health plan sponsors: NOPP must notify individuals that if they pay out-of-pocket for the full amount of a health care expense, they generally have the right to direct the provider not to disclose information about the expense to a health plan.
Business Associate Agreements
BAAs Entered Into On or After January 25, 2013. BAAs entered into on or after January 25, 2013 (e.g., between a group health plan and the TPA or the insurance broker) should be updated to include provisions under the January 25th Final Rule. HHS published updated model language for the HIPAA BAA in January, and Leavitt has a sample BAA our clients can use (with us or other BAAs).
BAAs Entered Into Before January 25, 2013. BAAs that were in effect as of January 25, 2013 and were compliant with requirements at that time are deemed compliant until September 23, 2014 (one additional year). The parties to such a BAA can elect to replace it with an updated BAA, but are not required to do so. This one-year transitional relief applies only to BAAs, and not to other requirements such as the changes to the NOPP listed above.
Breach Notification Standards and Requirements
Group health plans are required to notify affected participants if a breach of unsecured PHI occurs. As noted above, this is one of the statements that must be included in NOPP by September 23, 2013. A “breach” occurs if there is an unpermitted acquisition, access, use, or disclosure of PHI which “compromises the security or privacy of the PHI.” The Final Rule adopts a new presumption that will increase the likelihood that a breach occurred, which will increase the circumstances under which affected participants must be notified. Notwithstanding this expansive presumption, there are four circumstances under which a breach will not be deemed to occur (listed below).
Final Rule Presumption
The Final Rule creates a presumption that unsecured (i.e., unencrypted) PHI is compromised if it is unlawfully used or disclosed, so the health plan or business associate must notify affected parties of the breach, unless health plan or business associate conducts a risk assessment that shows there is a low probability the PHI was compromised (or one of the four stated exceptions applies). The risk assessment requires an assessment of specified risk factors, and probably will increase the number of reportable breaches.
Under the prior rule, a group health plan (or other covered entity) for whom a potential breach occurred was not required to notify affected parties if there was no significant risk of harm to the individual, or if the data was encrypted or otherwise secured
Four “No Breach” Exceptions
The four circumstances under which a breach will not be deemed to have occurred are:
1- Encrypted data. The data was encrypted (not just protected by other means, such as access control)
2- Unintentional access by a workforce member or person acting under the authority of the covered entity (e.g., group health plan) or business associate, if such acquisition, access or use was made in good faith and within the scope of their authority and did not result in further use or disclosure in an unpermitted manner.
3- Inadvertent disclosure from a person who is authorized to access PHI at the covered entity or business associate, to another person at the same entity.
4- Good faith belief that recipient of unauthorized disclosure could not reasonably retain the information. For example, a group health plan mails communications that contain PHI to the wrong people, and they are returned unopened as undeliverable, by the post office.
Final Rule Changes to HIPAA Enforcement
In addition to the “action items” listed above, the HIPAA Final Rule also makes the following changes to the HIPAA enforcement procedures.
- Requires HHS to initiate an investigation if a preliminary review indicates a possible violation due to willful neglect
- No longer requires HHS to use informal means to attempt to resolve violations, before going right to penalties/enforcement
- Makes group health plans liable for business associates and their subcontractors who are the health plan’s “agents” under federal agency law
Other Action Items for Plan Sponsors
- Review and revise other HIPAA Privacy & Security policies and procedures, if needed
- Update workforce Training on HIPAA & breach notification
- Perform a Security Risk Analysis if the plan (sponsor) creates, receives, stores or transmits electronic PHI
- Update or implement safeguards on PHI if needed – for example, the Final Rule includes additional limits on the use of mobile devices for accessing or transmitting ePHI
- Revise and update the group health plan document and SPD if needed