Benefits Compliance, HIPAA


mlr provisions

The HIPAA Final Rule (138 pages, published January 25, 2013) modified the Privacy, Security, Breach Notification and Enforcement Rules under the Health Insurance Portability and Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA). The Final Rule imposes new obligation on both covered entities (such as group health plans) and business associatios (such as health insurance brokers, consultants, and third-part administrators). Since compliance is generally required by September 23, 2013, affected entities should start undertaking required actions now to ensure they are in compliance by the September deadline.

Summary of Substantive Areas Changes by the Final Rule

The final rule made numerous changes to prior HIPAA rules, of which the following are most relevant for group health plans and business associates.  For additional detail on these items, ask your Leavitt advisor for a copy of Leavitt’s longer article on the January 2013 HIPAA Final Rule.

Business Associates (BAs)

  • Expanded definition of BA (includes storage providers of electronic or hardcopy PHI, even if they do not access, use or disclose PHI
  • BAs are now directly subject to HIPAA rules, not just required to comply with terms of BAAs
  • Subcontractors are also required to comply with BA obligations

Business Associate Agreements (BAAs)

  • Updated model BAA, group health plans and BAs must use by September 23, 2013
  • Compliant BAAs that were in effect as of January 25, 2013, are deemed effective until September 23, 2014, or until the date they are renewed or modified, if earlier

Breach Notification Standards and Requirements

  • Presumption that unsecured (unencrypted) PHI is compromised if unlawfully used or disclosed, so health plan or BA must notify affected parties of the breach, unless health plan or BA conducts a risk assessment that shows there is a low probability the PHI was compromised (or one of the three stated exceptions applies).

Notice of Privacy Practices (NPPs) – covered entity (such as group health plan) must post or distribute revised NPP, which must include:

  • Authorization is required for use or disclosure of PHI for marketing or sale of PHI and for psychotherapy notes,
  • Right to opt out of fundraising communications,
  • Prohibition on use of genetic PHI for underwriting and other purposes,
  • Group health plan must notify affected individuals in event of a breach of unsecured PHI

Expanded Individual Rights

  • Right to access PHI:  Group health plans must provide individuals their electronic PHI in the form and format requested by the individual, if readily available; and will have to transmit ePHI directly to the person designated by the individual
  • Right to request restrictions:  Individual who pays in full and out of pocket for an item or service may request that health care provider not share that PHI with the group health plan

Limits on Using PHI for Marketing and on Sale of PHI

  • Continues requirement for individual authorizations prior to using or disclosing PHI for marketing or sale, and expands definitions of those terms

Genetic Information

  • Incorporates GINA’s prohibition that group health plans and health insurers cannot use or disclose genetic information for underwriting purposes, defined to include eligibility, enrollment, cost-sharing, setting premium or contribution amounts, or wellness program incentives.

Enforcement and Increased Civil Penalties

  • Continues HITECH’s four-tiered penalty system, which may result in penalties up to $1.5 million per year for each violation of a “standard” or requirement.
  • Gives HHS discretion to proceed with investigation in response to complaints or breach reports and/or to impose, waive or lessen penalties or settle cases.  HHS no longer directed to focus on assisting with compliance or resolving complaints, can go right to enforcement and/or penalties.