HR Hero Line

Employers must comply with new HIPAA privacy and security regulations

by Gene Magee

As if learning the ropes under the Affordable Care Act (ACA) isn’t enough, employers offering health benefits to employees also need to gear up to comply with new Health Insurance Portability and Accountability Act (HIPAA) regulations that go into effect later this year. This article provides an overview of where the new regulations came from and what they mean for you.

Background
As a refresher, HIPAA, as enacted in 1996, directed the U.S. Department of Health & Human Services (HHS) to issue regulations requiring health plans to protect the privacy of health information and to provide reasonable and appropriate security against unauthorized uses and disclosures of health information transmitted electronically. The HHS promulgated its HIPAA privacy regulations, requiring compliance by April 14, 2003, for large health plans and by April 14, 2004, for small health plans. The HIPAA security regulations required compliance by April 20, 2005, for large health plans and by April 20, 2006, for small health plans.

The Genetic Information Nondiscrimination Act of 2008 (GINA) amended HIPAA regarding the privacy of genetic information, and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) made substantial changes to the HIPAA privacy and security provisions. Proposed regulations to implement GINA were issued on October 7, 2009. The HHS released interim final regulations on August 24, 2009, with respect to the breach notification requirements under the HITECH Act. And on July 14, 2010, and May 31, 2011, the HHS published more proposed regulations to implement other privacy and security changes made by the HITECH Act.

Then, on January 25, 2013, the HHS issued final omnibus regulations replacing both the interim final breach notice regulation and the proposed GINA and HITECH Act privacy and security regulations. This final rule generally requires compliance by health plans no later than September 23, 2013 (with a limited transition period until September 23, 2014, for necessary revisions to business associate agreements existing before January 25, 2013, unless otherwise amended or modified before the later date).

Time to get in compliance
So it’s now time for employers sponsoring healthcare plans to start taking affirmative steps to become compliant with the final rule by the compliance deadline. While a substantive review of the final rule is well beyond the scope of this article, here are some necessary steps you need to take:

  • Review existing vendor relationships with respect to group health plans:
    • To identify any business associates not having an existing business associate agreement and to put such agreements in place as soon as possible but no later than September 23, 2013; and
    • To make any revisions necessary to existing business associate agreements by September 23, 2014, or as part of any earlier non-HIPAA- related amendment (for example, breach notification, subcontractor requirements, compliance with the security regulations, and optional provisions allocating compliance responsibilities and/or providing for indemnification).
  • Amend (or, if necessary, adopt) written breach notification procedures.
  • Update and redistribute the Notice of Privacy Practices regarding new or revised individual rights and changes in policies and procedures.
  • Prepare or revise documentation for new or revised individual privacy rights:
    • To implement new access rights to an electronic copy of “personal health information” (PHI);
    • For authorization to use or disclose PHI for marketing purposes;
    • For restrictions of disclosures of health services paid for “out of pocket”;
    • For requests to transmit PHI to third persons; and
    • For disclosures of PHI to family members of a deceased patient.
  • Update privacy, security, and breach notification policies and procedures (GINA, types of information used for fund-raising without authorization, protection of PHI of deceased individuals for at least 50 years, disclosures of immunization records to schools, and possibly HHS suggestions about safeguarding PHI on portable electronic devices and deidentifying PHI).
  • Train workers with access to PHI on all applicable changes.

Bottom line
You also need to know that another result of the HITECH Act and the final rule likely will be increased HHS enforcement activity since there were numerous enforcement changes increasing both the authority of the HHS and the risks for employers. HIPAA enforcement previously was complaint-driven, but in the future, the HHS will actively conduct HIPAA privacy and security audits, with the agency now being required to investigate all complaints.

HIPAA penalties also were increased and now can be as high as $50,000 per violation, capped at $1.5 million per year for identical violations. However, the penalties can be “stacked” during the same year for different types of violations, meaning the maximum annual penalty actually can be multiples of the annual cap, depending on the number of violations and different types of violations during the same annual period.

So if you haven’t already, it’s time to get serious about HIPAA compliance, and you definitely shouldn’t wait until September 1. For this highly technical area―and particularly in light of simultaneous new requirements under the ACA―it’s best to seek advice from an experienced employment benefits attorney.

W. Eugene Magee is a member of Butler Snow’s business services practice group. He may be reached at gene.magee@butlersnow.com.