Having reached the one-year anniversary of the HITECH Act ("Health Information Technology for Economic and Clinical Health Act"), enacted as part of the American Recovery and Reinvestment Act of 2009, many changes to the HIPAA Privacy and Security Rules are now effective. Unfortunately, since the Department of Health and Human Services has not yet issued guidance with respect to most of these changes, Covered Entities and Business Associates must begin good faith compliance based solely on the language of the HITECH Act.
First, some background. HIPAA mandates that a "covered entity" possessing "personal health information" ("PHI") comply with certain privacy and security requirements in order to maintain the confidentiality and security of PHI. A covered entity is a health care provider, health care clearinghouse, or health plan. For this purpose, a "health plan" includes insured and self-insured group health plans and HMOs, flexible benefit plans with medical savings accounts, employee assistance plans and wellness benefit programs. An employer that sponsors a health plan is not a covered entity. However, such an employer may still be affected by HIPAA in two ways.
First, as a health plan sponsor, the employer is responsible for the health plan's compliance with HIPAA. Accordingly, the employer must determine how the plan should comply with HIPAA and ensure that it does so comply. In carrying out its responsibilities under the plan, an employer may delegate some or all of those responsibilities to business associates, but the employer remains ultimately responsible for the plan's HIPAA compliance. A business associate is a third party entity that either (i) on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of PHI or (ii) provides services to a covered entity that involve the disclosure of PHI by the covered entity or its business associates. Often, an employer sponsoring a self-funded health plan or a health flexible spending account ("health FSA") will enter into a business associate agreement with a third party administrator to process benefit claims or requests for reimbursement from the health plan or health FSA.
Second, if the employer sponsoring a health plan performs certain plan administrative functions (e.g., reimbursing health care expenses or deciding health benefit appeals), the employer likely will have access to PHI obtained from the health plan. In that case, the employer itself must comply with HIPAA's privacy and security requirements as a condition to receiving PHI from the health plan.
Accordingly, in conducting its operations involving health benefits, a covered entity and an employer sponsoring a health plan often will make use of third parties that may be "business associates" of the covered entity.
Now, highlights of HITECH include:
Direct Liability for Business Associates
Most significantly, Business Associates are now directly subject to the HIPAA Security Rule and most aspects of the HIPAA Privacy Rule, which, among other things, includes taking the following actions:
•Designate a HIPAA security officer and provide security awareness and training for the workforce.
•Conduct a written risk analysis to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the Business Associate.
•Establish policies and procedures for the implementation specifications required by the HIPAA Security Rule.
Changes to the Privacy Rule
Additional changes now effective under the HIPAA Privacy Rule include:
•Minimum Necessary Restrictions. Under the minimum necessary standard, Covered Entities and Business Associates using or disclosing Protected Health Information (PHI) must take reasonable efforts to limit PHI to the “minimum necessary” to accomplish the intended purposes. Until HHS issues guidance to define “minimum necessary” (expected by Aug. 17, 2010), the safe harbor to automatically comply with this standard now requires that Covered Entities and Business Associates limit use and disclosure of PHI to the “Limited Data Set.”
•Right to Electronic Copy. For PHI maintained in an electronic health record, an individual now has the right to receive an electronic copy and/or designate that the PHI be sent to another entity or person.
•Right to Require Non-Disclosure for Out-of-Pocket Services. Health care providers must now comply with an individual’s request that PHI regarding a specific health care item or service not be disclosed to a health plan for purposes of payment or health care operations if the individual paid out-of-pocket, in full, for that item or service.
•Mandatory Audits. The Secretary of HHS must perform periodic compliance audits on Covered Entities and Business Associates.
Sanctions for Failure to Provide Breach Notifications
To provide adequate time for Covered Entities and Business Associates to implement and begin good faith compliance with the breach notification final interim regulations, HHS temporarily suspended imposing sanctions for six months. Consequently, the enforcement provisions now become effective for breaches of unsecured PHI discovered on or after Feb. 22, 2010.
An employer with a health plan that uses the services of one or more business associates should confirm that each business associate providing services to the health plan is aware of its enhanced HIPAA obligations, which became effective February 17, 2010. Such confirmation may already have been obtained by the plan's insurer or third party administrator, but if it has not, communication with the business associate is advised. An employer might also consider seeking an acknowledgement that the business associate is in full compliance with its enhanced obligations under HIPAA.
