New Regulation Implements HITECH Changes to HIPAA

Posted in: Employee Benefits

Benefit Minute is a monthly newsletter written and distributed by PSA’s Director of Employee Benefits Compliance, Tina Bull.  In addition to managing and overseeing all activities of the Compliance Services Department, Tina advises and assists PSA clients with respect to health and welfare plan design, administration and communication, concentrating on current benefit laws and regulations. The following Benefit Minute focuses on the final legislation released by the Department of Health & Human Services (HHS) to implement amendments to HIPAA by the Health Information Technology for Economic and Clinical Health Act (HITECH).

PSA Benefit Minute
New Regulation Implements HITECH Changes to HIPAA

The Department of Health & Human Services (HHS) has released a final regulation to implement amendments to HIPAA made by the Health Information Technology for Economic and Clinical Health Act (HITECH). This final regulation did not substantially change the basic framework of HIPAA privacy and security compliance but does raise the standards with respect to certain items. Set forth below is a summary of the more significant items that impact group health plans.

Breach Notification
Under  the new regulation, the improper acquisition, access, use or disclosure of unsecured protected health information (PHI) is presumed to be a reportable breach unless it can be demonstrated that there is a low probability that the PHI was compromised. A risk assessment should be performed to make this determination and should consider the following factors:

  • the nature and extent of PHI involved;
  • the recipient of the PHI;
  • whether the PHI was actually acquired or viewed; and
  • the extent to which  the risk to PHI has been mitigated.

Prior to the final regulation, a breach of unsecured PHI was not reportable unless there was a significant risk of financial, reputational, or other harm to the individual. As a result of this change, privacy and security policies and procedures  should be reviewed to insure that they minimize the risk of a breach of unsecured PHI. In addition, breach notification procedures should be updated to reflect this higher standard and to include the four-factor test.

Business Associates
The final regulation makes business associates and their subcontractors directly liable for civil monetary penalties for violations of the security rule or certain provisions of the privacy rule, including provisions that govern:

  • use and disclosure of PHI (including minimum necessary rules);
  • breach notification policies;
  • requests for PHI from individuals; and
  • requests for information from HHS.

In addition, the definition of a business associate has been expanded to include entities that maintain or store PHI, even without access.

Business Associate Agreements
In light of the final regulation, existing business associate agreements should be reviewed to insure that business associates agree to:

  • comply with the security rule;
  • report breaches of unsecured PHI; and
  • enter into written Business Associate Agreements with their subcontractors.

These changes should be reflected in new business associate agreements by September 23, 2013; however, existing agreements do not have to be updated until September 22, 2014.

Notice of Privacy Practices
The final regulation requires the following additional information to be communicated in the plan’s notice:

  • Statement describing the duty of the plan to notify affected individuals of a breach;
  • Description of activities involving uses or disclosures of PHI that require an individual’s authorization;
  • Statement that the plan cannot use or disclose genetic information for underwriting purposes; and
  • Statement that an individual has the right to restrict disclosure of PHI when the individual has paid in full.

Notices should be revised by September 23, 2013 and distributed within 60 days.

Civil Monetary Penalties
Under HITECH, covered entities and business associates are subject to significant civil monetary penalties for violations of the privacy and security rules as follow:

  • No Knowledge (with exercise of due diligence) – from $100 to $50,000 per violation
  • Reasonable Cause (exercise of ordinary business care and prudence) – from $1,000 to $50,000 per violation.
  • Willful Neglect, Corrected (conscious and intentional failure to comply) – from $10,000 to $50,000 per violation
  • Willful Neglect, Not Corrected – $50,000 per violation

For multiple violations of an identical requirement in the same year, monetary caps apply. The maximum amount (for $50,000 violations) is $1.5 million. These substantial penalty amounts are designed to encourage covered entities and business associates to focus on HIPAA compliance efforts.