Narrowing the Scope: Applying the Final HIPAA Regulations to Group Health Plans
Employee Benefits Update
Date: April 02, 2013
Our Employee Benefits & Executive Compensation Group
Thompson Hine's employee benefits lawyers understand the rising costs, increasing scrutiny and changing legal landscape facing employers who provide group health plan benefits to employees. We are working closely with our clients to help design, implement and administer health plans in this challenging environment. The breadth and depth of our experience allows us to identify best practices as they emerge and provide responsive, legally compliant and cost-effective solutions. For more information on ensuring that the design of your group health plan, employee communications and plan documentation comply with the Health Information Portability and Accountability Act (HIPAA), please contact any member of our Employee Benefits & Executive Compensation practice group.
Although the U.S. Department of Health and Human Services (HHS) called the final "omnibus" HIPAA regulations (the Final Rule) the "most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented," several provisions in the Final Rule will not have a significant impact on most group health plans. We have sorted through the 500+ page regulation to highlight the provisions that are most likely to affect group health plans. See our January 2013 client bulletin for a summary of the Final Rule, including its impact on health care providers and individuals.
What Is the Final Rule?
HHS published final regulations in the Federal Register on January 25, 2013. The Final Rule updates the privacy, security and breach notification rules previously published under HIPAA, including the changes legislated in the Health Information Technology for Economic or Clinical Health Act (HITECH Act) and the Genetic Information Nondiscrimination Act (GINA). In addition, the Final Rule updates the HIPAA enforcement rule to reflect the increased tiered civil monetary penalty structure contained in the HITECH Act.
What Must a Group Health Plan Do in Response to the Final Rule?
Generally, a group health plan should:
- Apply the new breach standard.
- Revise privacy and security policies and train authorized employees on the new policies.
- Revise and redistribute the plan's privacy notice.
- Update business associate agreements and determine whether business associates are considered agents of the group health plan.
- Consider whether any other vendors should be considered business associates under the expanded definition of "business associate" included in the Final Rule.
- Update any miscellaneous forms and communications (such as forms for requesting access to protected health information (PHI)) impacted by the Final Rule.
- Ensure that all other aspects of the plan's HIPAA compliance program are complete and up-to-date.
This bulletin contains additional detail about each of these action items.
When Is the Final Rule Effective?
The Final Rule is effective March 26, 2013, but covered entities generally have an additional 180 days to come into compliance. Accordingly, and with one exception, group health plans must comply with the Final Rule (including by completing any required document updates) by September 23, 2013.
The exception involves updates to business associate agreements. Group health plans generally have until September 23, 2014 to update any business associate agreements that were in effect and compliant with the pre-HITECH requirements as of January 25, 2013. However, if such a business associate agreement is renewed or modified on or after September 23, 2013 and before September 24, 2014, it must be updated in connection with that renewal or modification.
What Is the New Breach Standard?
The HITECH Act requires that group health plans notify individuals and HHS (and, in some cases, the media) following a breach of unsecured PHI. A "breach" is generally defined as an acquisition, access, use or disclosure of PHI in violation of the HIPAA privacy rules (a HIPAA violation) that compromises the security or privacy of the PHI.
For breaches discovered before September 23, 2013, a HIPAA violation generally would not be considered a breach unless it posed a significant risk of financial, reputational or other harm to the individual.
For breaches discovered on or after September 23, 2013, a HIPAA violation generally would be considered a breach unless the group health plan can demonstrate a low probability that the PHI has been compromised, based on a risk assessment that includes at least the following four factors:
- The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.
- The unauthorized person who used the PHI or to whom the disclosure was made.
- Whether the PHI was actually acquired or viewed.
- The extent to which the risk to the PHI has been mitigated.
How Must a Group Health Plan’s Policies Be Updated?
Revised breach standard. See above.
Revised distribution requirement for privacy notices. See below.
Prohibition on use of genetic information. The Final Rule confirms that, although genetic information may be considered PHI, group health plans are not permitted to use or disclose genetic information for underwriting purposes or otherwise in violation of GINA.
Electronic access. An individual has a right to access PHI in a designated record set and generally to designate the form or format of that access. Prior to the Final Rule, if the PHI was not readily producible in the requested form or format, a group health plan was permitted to provide a hard copy of the PHI. Under the Final Rule, if PHI is not readily producible in the requested form or format, electronic PHI must be produced in a readable electronic format (such as via PDF emailed to the individual) agreed upon by the plan and the individual. A group health plan may provide a hard copy of the PHI only if the individual rejects the electronic formats offered by the group health plan.
Timeframes for responding to a request for access. A group health plan generally must respond to an individual's request for access within 30 days, but the plan may request a one-time 30-day extension by providing notice to the individual. Prior to the Final Rule, a group health plan was given 60 days to respond to a request for access to PHI maintained off-site. This automatic extension was eliminated in the Final Rule. Group health plans that need more than 30 days to respond to a request for access must request an extension, regardless of whether the PHI requested is maintained off-site.
A group health plan's security policy may be affected by a clarification in the Final Rule relating to copiers and fax machines. The security rules do not generally apply to fax transmissions where the PHI was not in electronic form immediately before the transmission. However, the Final Rule clarifies that PHI stored (intentionally or not) in copiers, fax machines and other devices is subject to the privacy and security rules. Group health plans should confirm whether PHI is stored in these types of devices, address this issue in the security risk analysis and adopt policies as necessary to protect PHI stored in these devices.
What Changes Must Be Made to the Privacy Notice?
The Final Rule requires that a group health plan's notice of privacy practices also include statements that:
- Uses and disclosures that require an authorization include:
- Most uses and disclosures of psychotherapy notes.
- Uses and disclosures for marketing purposes.
- Sale of PHI.
- Individuals have a right to be notified about a breach of their unsecured PHI.
If the group health plan uses PHI for underwriting purposes, the notice must also state that the plan may not use or disclose genetic information for underwriting purposes.
How and When Must the Privacy Notice Be Redistributed?
The method and timing of redistribution will depend upon whether the group health plan posts its privacy notice on a benefits website. If a group health plan maintains a website with information about the plan's benefits (such as an intranet site or benefits portal), a copy of the privacy notice generally must be prominently posted on that site.
Plans with benefits websites. A group health plan that posts its privacy notice on its benefits website must prominently post an updated version of the privacy notice (or information about the changes) by September 23, 2013. The health plan must also provide the revised privacy notice (or information about the changes and how to obtain the revised privacy notice) in its next annual mailing to participants, such as with the next set of open enrollment materials.
Plans without benefits websites. A group health plan that does not post its privacy notice on a website must provide the revised privacy notice (or information about the changes and how to obtain the revised notice) to participants within 60 days of the effective date of the change. Assuming the changes become effective on September 23, 2013, the notice would need to be distributed by November 22, 2013.
- Note: Prior to the Final Rule, privacy notices were required to be redistributed within 60 days of a material modification, regardless of whether the group health plan posted its notice on a website. The Final Rule changes the method of redistribution, not only for the changes required by the Final Rule, but for any other material modifications that take place after September 23, 2013.
Can a Plan Distribute the Privacy Notice by Email?
The Final Rule did not change the requirements relating to electronic distribution. Therefore, the privacy notice must still be distributed in hard copy unless a participant affirmatively consents to receiving the notice via email, the consent has not been withdrawn and the group health plan provides a hard copy to any participant to whom the email transmission failed. In addition, even if a participant agrees to receive a notice via email, the group health plan still must provide a hard copy of the notice to that participant upon request.
What Changes Must Be Made to Business Associate Agreements?
The Final Rule requires that a business associate agreement also contain a business associate's covenants to:
- Comply with the HIPAA security rules.
- Report to the health plan any breaches of unsecured PHI.
- Enter into written business associate agreements with subcontractors.
- Comply with the HIPAA privacy rules to the extent that the business associate agrees to carry out the group health plan's obligations under those rules.
HHS has published sample business associate agreement provisions that incorporate these requirements.
- Note: Although many business associates attempted to include HITECH provisions in their agreements, it is extremely unlikely that current business associate agreements contain all four of these required provisions. Business associate agreements will need to be updated to include these provisions, even if they currently have a catch-all provision requiring the business associate to comply with the HITECH rules. Because virtually all business associate agreements will need to be updated, group health plans should consider using this opportunity to request any other revisions that may be considered desirable, whether for business reasons or to address the agency issue discussed below.
What Is the Significance of a Business Associate’s Status as an Agent?
Prior to the Final Rule, a group health plan generally would not be held liable for the HIPAA violations of its business associate so long as a valid business associate agreement was in place and the group health plan had no knowledge of, or reason to know about, HIPAA violations committed by the business associate. Under the Final Rule, the liability protection described above does not apply where a business associate is the group health plan's agent.
In addition, agency status impacts the timing by which a group health plan must provide notice of a breach of unsecured PHI. The plan generally must provide the required notice without unreasonable delay, but in no event later than 60 days after discovering the breach. Where the breach is committed by a business associate that is not the group health plan's agent, the deadline is 60 days from the date on which the business associate notifies the plan about the breach. Where the breach is committed by a business associate that is the group health plan's agent, the deadline is 60 days from the date on which the breach is known to, or by exercising reasonable diligence should have been known to, the business associate - regardless of when the business associate notifies the plan about the breach.
When Is a Business Associate Considered an Agent?
A group health plan must use the federal common law of agency to determine whether a business associate is considered its agent. The determination is fact-specific and should consider all of the circumstances surrounding the relationship.
However, the preamble to the Final Rule suggests that an essential factor in determining whether an agency relationship exists is the right of the group health plan to control the business associate's conduct in the course of performing a service for the plan. An agency relationship may exist where the group health plan may provide interim instructions or direction to the business associate. For example, if the business associate is responsible for responding to a request for access "in accordance with instructions to be provided by the plan," an agency relationship may exist.
Group health plans should closely review their business associate agreements and service contracts to determine whether the agreement inadvertently creates an agency relationship.
Did the Final Rule Change the Definition of Business Associate?
Yes, the Final Rule expands the definition of a business associate. Group health plans will likely be impacted most by the expansion involving an entity that maintains PHI. For example, an electronic data storage vendor (such as a cloud provider) that can access PHI is considered a business associate even if it does not, in fact, access that PHI.
- Note: Prior to the Final Rule, some group health plans chose not to enter into business associate agreements with data storage vendors, relying on the "conduit" exception that exempts entities such as the U.S. Postal Service from business associate status. HHS has signaled that the conduit exception will be very narrowly applied under the Final Rule.
Group health plans should reevaluate their list of business associates to ensure they have identified all vendors that may meet the expanded definition of "business associate."
What Other Documents Must Be Updated?
Miscellaneous HIPAA forms and communications may include provisions that are impacted by the Final Rule. For example, forms used to request access to PHI may contain a statement regarding the plan's ability to provide a hard copy of the PHI or the plan's 60-day timeframe for responding to a request for PHI maintained off-site. Group health plans should consider conducting a legal review of all their HIPAA documents to confirm the extent of any necessary revisions.
Why Should a Plan Revisit Its HIPAA Compliance Now?
1. The HITECH Act increased the penalties applicable to HIPAA violations. The penalties are tiered based on culpability of the group health plan (or business associate) and are based on whether corrections were made within 30 days after the date the group health plan (or business associate) has actual or constructive knowledge of the violation.
Criteria for Determining Penalty
Minimum Penalty Per Violation
No actual or constructive knowledge
$100 - $50,000
Reasonable cause and no willful neglect
$1,000 - $50,000
Willful neglect and correction within 30 days
$10,000 - $50,000
Willful neglect and no correction within 30 days
For any level of culpability, the penalty is capped at $1,500,000 for identical violations occurring during a calendar year.
The Final Rule confirms that HHS will consider the following factors, which may either mitigate or aggravate the amount of the civil monetary penalty:
- The nature and extent of the violation, including the number of individuals affected and the time period during which the violation occurred.
- The nature and extent of the harm resulting from the violation, including whether the violation caused physical harm, financial harm, or harm to an individual's reputation, and whether the violation hindered an individual's ability to obtain health care.
- The history of prior compliance.
- The financial condition of the group health plan or business associate, including whether the entity had financial difficulties that affected its ability to comply, or whether an imposition of a civil money penalty would jeopardize the ability of the plan or business associate to continue to provide or pay for health care and the size of the plan or business associate.
2. HHS is not obligated to attempt informal resolution. The Final Rule confirms that HHS may attempt to reach an informal resolution of a complaint or an issue discovered in a compliance review, but is not required to do so. In other words, group health plans cannot simply assume that HHS will try to work with them to remedy compliance - they must be prepared for the fact that noncompliance might be costly.
3. HHS has required monetary settlements with increasing frequency. HHS investigates every complaint and, more recently, has been auditing covered entities and investigating breaches reported on its website. In connection with this increased investigative activity, HHS has more frequently required settlement agreements (as opposed to mere remedial compliance efforts).
- Note: Recent HHS settlements have focused on covered entities' failures to address security of mobile devices and failures to complete or update HIPAA security risk analyses. Group health plans should review the published resolution agreements to ensure they are not experiencing the same compliance issues addressed in those settlements.
4. HHS has posted its audit protocol. HHS has published a comprehensive audit protocol that contains the compliance elements it reviews through its audits. Group health plans can use this protocol as a tool to confirm that all elements of their HIPAA privacy and security compliance are in line with federal requirements.
This bulletin highlights the provisions of the Final Rule that are most likely to affect group health plans. However, each group health plan is unique and may be affected by portions of the Final Rule not addressed in this bulletin (or may not be affected by portions of the Final Rule that are addressed here). Group health plans should consider consulting with legal counsel to understand the full impact of the Final Rule.
IRS Circular 230 Disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that nothing contained herein is intended to be used, or can be used, to avoid penalties imposed under the Internal Revenue Code.
This advisory may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgement of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.