The deadline for compliance with the Health Insurance Portability and Accountability Act's new notification standards has come and gone, but employers' efforts to toe the line with the latest privacy and security regulations have just begun. In essence, companies had until Sept. 23 of this year to update their notices of privacy practices and until the end of time to remain compliant with them.
The good news for most HR professionals and benefits administrators is that perhaps the most sweeping change to HIPAA with the rules issued in January doesn't apply directly to them, but to their third-party administrators and business associates. That can, however, require new contracts and agreements with them.
"HIPAA is this really big statute, but what we think of as HIPAA, when we use the term, are really just the privacy and security rules," says Edward I. Leeds, an employee benefits and health care attorney with Ballard Spahr LLP, adding that more of those rules are now trickling down to outside vendors and subcontractors, with a legislative goal of improving security for the individual.
"HIPAA traditionally applied only to 'covered entities,' like a health plan, but it didn't directly apply to the vendors of the health plan or the third-party administrator," Leeds says. "It's a hard concept to understand. A health plan is really just a bundle of rights to get care. The employer sponsors the health plan, but the employer isn't the health plan itself. So when an employer gets information that an employee wants to take a leave of absence or something, that's not subject to HIPAA. That's the employer acting as the employer, not as the health plan."
Business associates
A. Melinda Maher, who focuses on benefits and compensation at Dorsey & Whitney LLP, says now "privacy and security rules have to flow down to business associates." Business associates, she says, have now been brought under the 2009 Health Information Technology for Economic and Clinical Health Act, with much the same standards for private health information.
"And business associates then in turn, the vendors they contract, which we kind of call subcontractors, are also going to be subject," Maher says. "So that's actually a really big deal. ... it's a huge deal for the health care industry as a whole, that these entities basically could be subject directly to an action from HHS directly for a violation of HIPAA."
So in addition to privacy practices, your business associates' agreements need to be updated. In many cases, they should be already (that compliance deadline was also Sept. 23), but, should the agreement have last been amended or signed before Jan. 22, 2013, employers have another year to bring their contracts and paperwork up to code.
PHI breaches
Perhaps the biggest potential HIPAA change for intraoffice concerns are the new standards for breaches of PHI. In short, the standard for a breach is lower, the response is larger and penalties for noncompliance now have teeth.
"We have a different standard for what a breach is and, therefore, when we need to notify people when there's been a breach," Maher says.
Under HITECH's 2009 standards, a breach was considered a user disclosure of PHI that was not permitted under HIPAA and carried a substantial risk of financial (such as credit card or Social Security information), reputational (the disclosure of an illness) or other harm. That was the standard for three years.
"The actual, final rules, were active Sept. 23," Maher says. "And it's more likely that you'll have a breach now. What happened was, the standard that the [Health and Human Services] Secretary issued ... Congress said they didn't like it. They thought it was too lax, basically. So we have this new standard, and we have to presume there's a breach" until a risk analysis is done.
"Most likely it means that more uses and disclosures will be considered breaches," she adds. "Whether employers will have more of those unauthorized uses and disclosures is more of an open question in my mind."
Information is considered unsecured unless it is encrypted or destroyed in accordance with government standards, and now organizations have to act under the assumption that a breach has occurred until they have investigated sufficiently to prove otherwise.
"There are exceptions, but the most important consideration is the likelihood that the information has been compromised in a way that could cause harm," Leeds says. Vendors and business associates, he adds, are required to notify covered entities (i.e., the health plan or its handler - the employer) of breaches the same way covered entities must notify the affected individuals.
"A covered entity must without unreasonable delay, and within 60 days, notify affected individuals," he says. "If the breach is large enough - more than 500 in a state affected - it must notify local media in the same time frame as for individuals," says Leeds. "It must also report the breach to the federal government if the breach is large enough - at least 500 affected. [In that case] this notice must be provided in the same time frame as for individuals; if smaller, the employer keeps a log and reports electronically. The covered entity could arrange contractually with the business associate to take some or all of the notice obligation on."
The responsibilities for business associates are vast and varied; they could require anything from new software to new personnel. What's more, Leeds points out, anyone can be a business associate of a health plan - a vendor, a consultant or even a lawyer.
Both Leeds and Maher emphasize that employers should consider how to train relevant members of their workforces in the new requirements as part of their ongoing compliance efforts. This time around, they point out, the rules come with teeth.
"Pay attention to HIPAA," Maher urges. "There's real enforcement now; I would not overlook this one. I think in the past people have overlooked HIPAA, and I think it's time that entities that are subject to it truly pay attention. ...The penalties were increased by the HITECH Act, and HHS is really auditing for compliance now. We've seen action from state attorneys general. In Minnesota for example, our state attorney general took action under HIPAA" as result of a missing laptop.
Rules expand patient rights
The new HIPAA rules also expand individual rights, according to the Department of Health and Human Services. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. Moreover, there are new limits on how information is used and disclosed for marketing and fundraising purposes and the rules prohibit the sale of an individual's health information without their permission.
The final rule also reduces burden by streamlining individuals' ability to authorize the use of their health plan information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child's immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The federal government's Office for Civil Rights has created a number of communication materials, available at www.hhs.gov/ocr, to educate consumers about their health privacy rights. These include:
* The Right to Access and Correct Your Health Information (video).
* Your New Rights Under HIPAA (video).
* Your Health Information Privacy Rights (pamphlet).
If someone believes their rights have been violated, they can learn more about filing a complaint with OCR at
