www.quarles.com
John BarlamentQuarles & Brady LLP
Employer Health Plans Under the New HIPAA Rules: Action Steps for Compliance
1
www.quarles.com
2
Topics for Today
Four main areas of HIPAA Administrative Simplification Enforcement strengthened and penalties increased Applying Security Rules to business associates (“BAs”) New breach notification rules New Privacy Rules Highlight where new regulations make changes
– For many items, new regulations made limited changes
www.quarles.com
3
Overview
HIPAA enacted in 1996 and contained several parts Title I: Portability
– Pre-existing condition limitations
– Nondiscrimination rules
Title II: Administrative Simplification – Core Requirements– Standard Transaction Rules
– Privacy Rules
– Security Rules
– Breach Notification Rules
Administrative Simplification Rules amended several times, including by HITECH Act in 2009 and health care reform
www.quarles.com
4
Which Plans are Affected?
Rules generally apply to “health plans”– Major medical; dental; vision; health reimbursement
arrangement (“HRA”); health FSA
– Need to examine employee assistance plan (“EAP”) and wellness plan separately Some may provide medical benefits, but not all will Complex area and some disagreement
– Does not usually apply to: Health savings accounts (“HSAs”) (although theoretically possible)
– Would apply to related high deductible health plan
Self-administered plans with less than 50 “participants” Non-health plans (e.g., disability)
– Can be subject to other laws – e.g., ADA has privacy rules
www.quarles.com
5
Core Requirements Remain Same
Standard Transaction Rules: Intended to put the “simplification” in Administrative Simplification Rules– When covered entities talk electronically, use same codes
E.g., use a common identification number for various hospitals and clinics
Claims for benefits follow same electronic format
Privacy: Use and disclosure rules for protected health information (“PHI”)– Administrative requirements for employers on behalf of health
plans
– Privacy rights for individuals
www.quarles.com
6
Core Requirements
Security Rule: Applies to electronic PHI (“ePHI”)– Administrative, physical, technical safeguards
Some are “required”, others “addressable”
– Organizational, documentation requirements
Breach Notification: Breach of “unsecured” PHI– New regulations provide changes to “breach” definition
No longer use “significant risk of financial, reputational or other harm”
www.quarles.com
7
How Rules Apply to Group Health Plans
“Basic” rules for employers and their plans remains same
Fully-insured plans (usually “hands off” PHI): Minimal obligations– Theoretically state no discrimination
Self-funded plans (usually “hands on” PHI): Significant obligations– Amend plan document so employer follows HIPAA
– Create policies and procedures; train “workforce”
– Various administrative requirements (e.g., identify BAs)
Vast majority of new regs do not apply “differently” to health plans than to other covered entities
www.quarles.com
8
Overview – Health Care Reform
Health care reform made some changes also New Standard Transactions
– Electronic funds transfer (regulations 1/2012; effective 1/2013) Employers / plan sponsors should have verified in 2012 that
current business associate agreement included this
Follow Operating Rules– Staggered effective dates
– Eligibility for health plan and health care claim status regulations issued in 2011 Effective January 2013
– Others take effect in 2014 and 2016
www.quarles.com
9
Overview – Health Care Reform
Unique health plan identifier– 9/2012 HHS issued final regulations
– Health plans apply for a unique number for Standard Transaction purposes
– Large health plans need one by 11/2014
– Small receive extra year; both use by 11/2016
New “employer certification” requirement by end of 2013– Certify compliance with certain Transactions and Operating Rules
– No regulations yet (so details unknown)
– Penalty range as low as $1 per covered life per day
– Put into updated business associate agreements (“BAAs”)?
“Other” health care reform HIPAA changes not covered here– E.g., increasing wellness plan discount / penalty from 20% to 30% - 50%
www.quarles.com
10
New Regulations
Very long but maintain many prior proposed changes Most changes effective September 23, 2013
– E.g., updates to notices of privacy practices and policies and procedures (discussed later)
– General “catch-all” provision would not be sufficient
Changes to business associate agreements (“BAAs”):– Complicated rules for whether effective date of updated BAAs
is 9/2013 or 9/2014
– However, extra year relief hinges on whether BAA complied with HIPAA as in effect on 1/25/2013
www.quarles.com
11
New Regulations
– Employer may not be 100% certain, so may want to update all by 9/2013 (not 9/2014)
HHS published new sample BAA which is “better” than prior sample – http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden
tities/contractprov.html
– Still leaves out some items (e.g., Standard Transaction Rules)
– Also does not include some other items employers / plans may want E.g., no sending of PHI offshore; who determines if there is a
breach; who pays if a breach, etc.
www.quarles.com
12
Applying Rules to Business Associates
Commentators complained of “gap” in health privacy – BAs only indirectly covered
HITECH now directly applies most HIPAA Security Rules (and some Privacy Rules) directly to BA
New regs: “Subcontractors” also must comply– And subcontractors of subcontractors, etc.
– Can create contracting issues E.g., plan requires BA to notify it of breach within 10 days BA has Subcontractor 1 Subcontractor 1 has Subcontractor 2 Will agreement between Sub 1 and Sub 2 allow sufficient time
for breach at Sub 2 to reach plan within 10 days? Do Sub 1 and Sub 2 (or Sub 3 or Sub 4) even know of 10-day requirement?
www.quarles.com
13
Applying Rules to Business Associates
Many business associates will also have a health plan– So, will have two “levels” of HIPAA compliance – as a BA and
as a sponsor of a health plan
– Some entities covered in three ways (provider; BA; sponsor of plan) Policies and procedures will not be identical (but could have
significant overlap)
Note: Still no direct duty under HIPAA for plans to monitor their BAs– However, ERISA does have a similar fiduciary duty
www.quarles.com
14
New Breach Notification Rules
If: (1) covered entity or business associate accesses, maintains, retains, modifies, records, stores, destroys or otherwise holds, uses or discloses “unsecured protected health information” and (2) there is a “breach” of such information; and (3) the breach is “discovered”; then (4) notification rules apply
Covered entities and business associates follow rule
www.quarles.com
15
New Breach Notification Rules
New regs: For this (and other obligations) plan can require BA (e.g., third party administrator (“TPA”)) to conduct on behalf of plan– If so, must include in BAA– Plan still liable (so consider indemnification?)– Caution: BAs may have a “bias”– Recommend that employer / plan reserve right to determine if
“breach” occurred– Also, recommend “quick” report to plan
“Accesses, maintains…unsecured PHI”:– Terms not well-defined but seems broad– “Unsecured PHI” – PHI not secured through technology or
methodology approved by HHS 4/17/09 HHS guidance “safe harbor” for data: in motion; at rest; in use;
disposed.– Encryption (NIST approved)– Destruction (shredded or purged)
Note: Can have a “breach” of paper PHI or electronic PHI
www.quarles.com
16
New Breach Rules – Defining “Breach”
“Breach” is: (1) acquisition, access, use or disclosure (2) of PHI (3) in manner not permitted under Privacy Rules (4) which “compromises” the security or privacy of the PHI – E.g., benefits department employee is curious about co-
worker’s medical situation and reviews (accesses) medical record
– E.g., explanation of benefits (“EOB”) sent to wrong person and actually opened
Prior standard from 2009 regulations now eliminated– “Significant risk of financial, reputational or other harm”
www.quarles.com
17
Defining “Breach”
Old standard replaced by somewhat-vague “compromised” standard– Does not require that every improper use or disclosure be
treated as a “breach”
Covered entity and business associate assume breach occurred if improper use or disclosure
Both assess probability that PHI has been “compromised” based on a risk assessment – Must consider at least four factors
www.quarles.com
18
Defining “Breach”
(1) Nature and extent of PHI involved– Including types of identifiers and likelihood of re-identification
(2) Unauthorized person who used PHI or to whom the disclosure was made
(3) Whether PHI was actually acquired or viewed (4) Extent to which the risk to the PHI has been
mitigated All should be documented
– Plan may want BA to do assessment and provide it to plan
– HHS considered, but rejected, idea that third party determines if “breach” occurred
– New regs: Burden of proof on plan / BA to prove no breach occurred
www.quarles.com
19
Exceptions to “Breach”
Does not include unintentional acquisition, access, use or disclosure of PHI by workforce member (or acting under authority) if done in good faith and within scope and not further used or disclosed – New regs: Does not include “snooping employees”
“Breach” also does not include certain inadvertent disclosures at covered entity or BA if information not further used or disclosed
“Breach” does not include disclosure where person would not have reasonably been able to retain it
New regs: Also may be other situations (above is not exhaustive list)
www.quarles.com
20
Breach Rules – What Happens if Breach Occurs
Generally notify affected individuals– Usually within 60 days after breach “discovered”
Includes discovery by an agent – clarify in BAAs that BA is not an “agent”?
HHS notification usually required after end of year If “major” breach of 500+, notify HHS within 60 days
and media– For both, consider impact to employer’s brand / employee
relations issues
www.quarles.com
21
Breach Rules – Include in Content of Notification
Brief description of what happened, including date of breach and date discovered
Types of unsecured PHI involved (e.g., name, Social Security number, date of birth, home address, account number)
Steps individual should take to protect from potential harm
What covered entity is doing to investigate the branch, mitigate losses and protect against further breaches
Contact procedures for individuals to ask questions; shall include toll-free phone number, email address, web site or postal address
All written in “plain language” Require BA to provide if BA causes breach?
www.quarles.com
22
New Access Rules
Individuals have right to access and obtain copy of PHI in designated record set
Health plan previously had to respond within 60 days– 30 day extension also available
New regs: Must respond within 30 days– 30 day extension still available– Will likely require changes to policies / procedures
New regs: Plan must, if requested by individual, transmit copy of PHI directly to another designated person– Request to do so “must” be in writing, signed by individual and
must clearly identify recipient Can still charge reasonable, cost-based fees
– New regs: No standard “retrieval fee”– New regs: Can include cost of CD (if that is what individual
requests)
www.quarles.com
23
New Access Rules
New Regs: If individual requests electronic copy of PHI and if PHI maintained electronically, plan must provide access to it in electronic form and format requested
If not possible, provide “machine readable” copy– Includes Word, Excel, text, HTML, PDF
Consider risks of allowing direct download on individuals’ portable devices
Employer probably does not have entire “designated record set”– Coordinate with TPA and other BAs (if self-funded)
– If employer’s health plan is fully-insured, likely forward employee to insurer
www.quarles.com
24
Restriction Request Rules
Individual can make restriction request under 164.522 – and covered entity usually need not follow it
Under HITECH, covered entity must comply with request if:– Disclosure is to a health plan for purposes of carrying out
payment or health care operations (but not treatment) and
– PHI pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full
Preamble to new regs: Rule only applies to providers (not health plans)– But, wording of regs not so limited
– Recommend updating health plan policies and procedures to include
www.quarles.com
25
Guidance on “Minimum Necessary”
Currently, most uses and disclosures of PHI must be of “minimum necessary” amount– Not always easy to know what “minimum necessary” means
New Regs: BAs directly subject to rule – Also includes requests a BA makes of another BA
– Parties may want to address in BAA Sample BAA from HHS has some language
– Future guidance expected
www.quarles.com
26
Prohibiting Sale of PHI
Covered entity and BA cannot “directly or indirectly receive remuneration” in exchange for any PHI unless covered entity obtained valid authorization from individual (and authorization must specify that remuneration is acceptable)
Are some exceptions (e.g., can receive a few dollars form individual for copying medical records; research, treatment)
Will health plans ever “sell” PHI?– Not typical but cannot rule it out
– Do include in BAA
www.quarles.com
27
Marketing of PHI
Covered entity generally needs authorization for “marketing” (communication encouraging purchase or use of product)
Several exceptions– E.g., to provide refill reminders about current drug
(remuneration limited to cost of communication)
– Care coordination (no remuneration)
– Description of plan benefits (no remuneration)
– Non-plan products and services available to enrollees (no remuneration)
– Is this broad enough to cover everything a health plan does?
www.quarles.com
28
PHI of Decedents
New regs: Ceases to be protected after individual is deceased for 50 years
New regs: Can disclose decedent’s PHI to family members or others involved in decedent’s care or payment for care
Modest change for health plans – May be difficult to track
– Should probably include in notice of privacy practices
– Discuss with TPA (if self-funded) whether TPA can track this? Or just ignore it because it is optional?
www.quarles.com
29
GINA
New regs also address Genetic Information Nondiscrimination Act (“GINA”)
Maintain current rule that genetic information is generally PHI– Update definition of “PHI”
Adopts proposed rule from 10/2009 that genetic information cannot be used for underwriting purposes– Includes: (1) rules for, or determination of, eligibility; (2)
computation of premium or contribution amounts; (3) application of pre-existing condition exclusion; (4) other activities related to creation or renewal
www.quarles.com
30
GINA
Plan cannot include genetic information in summary health information it discloses to plan sponsor so sponsor can obtain premium bids
Plan can use and disclose genetic information to determine medical appropriateness (e.g., whether to have mammogram before age 40)
If plan engages in “underwriting”, state in notice of privacy practices that it cannot use genetic information for such activity
www.quarles.com
31
Notices of Privacy Practices
Will likely need to be updated New regs confirm that should inform individuals of
breach notification rights Also must state authorization usually needed for:
– Most uses and disclosures of psychotherapy notes – Uses and disclosures for marketing– Sale of PHI– Other uses and disclosures not described in notice made only
with authorization from individual Other changes as noted previously Some new distribution rules
– If have web site, post by effective date But does a plan ever have a web site?
– If not, provide it within 60 days of material revision
www.quarles.com
32
Policies and Procedures
Will almost certainly need to be updated Some changes (e.g., definition of “breach”) unexpected
and almost certainly not in existing procedures Remember to re-train after changes made
www.quarles.com
33
Business Associate Agreements
Possible but unlikely that no changes needed (e.g., if general terms used – no set definition of “breach”)– If go this route, may need to do analysis of all BAAs
– Even if “template” used as starting point, may have changed during negotiations
Given HIPAA enforcement, good idea to re-visit them all and make items more clear
www.quarles.com
34
Questions and Answers
Thank you for attending
John L. Barlament
Quarles & Brady LLP
411 E. Wisconsin Avenue
Suite 2350
Milwaukee, WI 53202
20861885