Resources: Legal Alert

online

HIPAA Privacy and Security: Steps to Comply with 2013 Regulations
August 27, 2013
On January 25, 2013, the U.S. Department of Health and Human Services ("HHS") made significant changes to its regulations on privacy and security of protected health information ("PHI") used by health plans and health care providers. Those changes implemented the 2009 amendments to the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Below are frequently asked questions and answers to help you comply.

Steps to Comply with 2013 Regulations:

Question 1: What steps must affected health plans and health care providers take to comply with the amended HIPAA regulations?
Question 2: How and when must a notice of privacy practices be changed?
Question 3: How and when must business associate agreements comply with the revised rules?

Question 1: What steps must affected health plans and health care providers take to comply with the amended HIPAA regulations?

The amended HIPAA regulations require health plans and health care providers to revise the following documents they have been using to comply with HIPAA, within the time limits described below (in some cases, by September 23, 2013):
  • notices of privacy practices distributed to individuals covered by health plans and patients of health care providers, 
  • other policies and procedures with respect to PHI, and 
  • business associate agreements with contractors that use, create, maintain or transmit PHI for the plan or provider. For example, a self-insured health plan must have a business associate agreement with a third party administrator. 
Practical Point: Many employers sponsoring insured health plans have agreed with their insurers that the employer and its insurance agent will not have access to any PHI of the employees and family members covered by the plan. In that case, the insurer, rather than the employer, is required to comply with the privacy and security rules of HIPAA on behalf of the health plan. This means that any such employer need not create or update any of the documents listed above.

Question 2: How and when must a notice of privacy practices be changed?

Every health plan and health care provider that must comply with the privacy and security rules of HIPAA is required to distribute a notice of privacy practices to individuals for whom the plan or provider holds PHI. Those notices must be revised as follows:
  • Notice of privacy practices distributed by a health plan or health care provider. The following new information must be added to (a) a notice of privacy practices distributed by a health plan; and (b) any other policies and procedures of the plan or provider with respect to PHI: 
    • An individual's right to a copy of his or her PHI now includes the right to an electronic copy of any PHI held in the electronic records of the plan or provider; and
    • The plan or provider is required by law to promptly notify affected individuals after it discovers a breach of unsecured PHI, based on an assessment of the risk of unauthorized disclosure. However, unsecured PHI does not include PHI that is unusable, unreadable or indecipherable by unauthorized persons.
Practical Point: The amended regulations apply to both health plans and health care providers, but the following items are described below under the type of entity most likely to be affected by the changes:

Health plan's notice of privacy practices. The following new information must be added to (a) a notice of privacy practices distributed by a health plan; and (b) any other policies and procedures of the plan with respect to PHI:
  • The plan is prohibited from using or disclosing any PHI that is genetic information, for the plan's underwriting or premium rating purposes. Genetic information includes an individual's family medical history and any genetic testing results. 
Health care provider's notice of privacy practices. The following new information, if applicable, must be added to (a) a notice of privacy practices distributed by a health care provider, and (b) any other policies and procedures of the provider with respect to PHI:
  • If any of the following disclosures of an individual's PHI may be made by a health care provider, the type of disclosure must be described, along with a statement that the disclosure will be made only with the individual's written authorization (which may be revoked): 
    • disclosure of psychotherapy notes,
    • disclosures for marketing, and
    • any sale of the PHI.
  • If the provider will use an individual's PHI to contact him or her for fund-raising, that use must be stated along with the individual's right to opt out of receiving those communications. 
  • Except for disclosures required by law, the provider must agree to an individual's request to restrict disclosure of his or her PHI, if the PHI relates to a health care item or service for which the individual (or a person other than a health plan) has paid the provider in full. For example, a patient might want to prevent disclosure of an embarrassing condition to other providers or a health plan covering the patient. 
When must the revised notice of privacy practices be distributed? HHS has stated that the revised rules for notices of privacy practices will require material changes to those notices, as described above. Health plans and health care providers must revise their notices of privacy practices by September 23, 2013; and distribute the revised notices as follows:
  • If the health plan does not have its own web site, the plan must provide the revised notice (or a description of the material changes and how to obtain the revised notice), to covered individuals within 60 days after September 23, 2013. 
  • If a health plan has a web site, the revised notice (or a description of the material changes) must be prominently posted on the web site by September 23, 2013; and the revised notice (or a description of the changes and how to obtain a copy) must be distributed with the plan's next annual mailing to covered individuals. 
  • A health care provider must make its revised notice available on or after September 23, 2013, as follows: (a) to any new patient, (b) upon any patient's request; and (c) if the provider has a facility for delivery of health care: 
    • copies of the revised notice must available to individuals at the facility, and
    • the revised notice must be posted in a prominent location at the facility where individuals seeking health care service are able to read the notice.
Question 3: How and when must business associate agreements comply with the revised rules?

What is a "business associate agreement? A health plan or health care provider may delegate functions to "business associates" (other than its own workforce) who may create, receive, maintain or transmit PHI for the plan or provider under a written agreement. Business associates now include persons who transmit PHI and require access on a routine basis, and also persons who only store PHI. In addition to the new items listed below, the agreement must require the business associate to comply with the privacy and security rules of HIPAA; and describe any uses and disclosures of PHI by the business associate that are permitted in performing the agreement.

How must business associate agreements be changed? HHS has stated that the amended regulations will require changes to business associate agreements, as follows:
  • The agreement should state that the privacy and security rules of HIPAA now apply directly to the business associate, in addition to the requirements of the agreement. 
  • The business associate must be required to quickly report to the plan or provider any breach of unsecured PHI (a new term that should be defined in the agreement). 
  • If a business associate delegates any work to a subcontractor who will create, receive, maintain or transmit PHI, the business associate and the subcontractor must sign a business associate agreement that complies with the HIPAA rules and the business associate's servic agreement with the plan or provider. 
  • If the business associate will carry out any HIPAA privacy obligations of a plan or provider, the business associate must be required to comply with the HIPAA privacy rules that apply to the plan or provider for those obligations. 
  • The business associate must be required to safeguard electronic PHI, including performing and documenting a risk analysis. 
Practical Point: Some business associate agreements may pre-date the HIPAA security rules, which became effective in 2005; and must also be amended to comply with those rules.

When must business associate agreements comply?
  • Any business associate agreements that are first effective on or after January 25, 2013, or are renewed or changed between that date and September 22, 2013, must comply with the revised rules by September 23, 2013. 
  • Any business associate agreement that was in effect before January 25, 2013, but did not comply with the HIPAA rules in effect on that date, must comply with the revised rules by September 23, 2013. 
  • Any business associate agreement that (a) was in effect before January 25, 2013, (b) complied with the HIPAA rules in effect on that date, and (c) is not renewed or changed between that date and September 22, 2013, need not be amended before September 22, 2014, unless it is renewed or changed on or after September 23, 2013. 
We can help
Please contact Maslon's Employee Benefits Team if you have questions or would like more information about how the Affordable Care Act may impact your company. We will continue to send Maslon ACA alerts on other issues affecting large employers.

RELATED PRACTICE AREAS

Related Attorneys

DISCLAIMER
Thank you for your interest in contacting us by email.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send us an email containing a general inquiry subject to these terms.

If you accept the terms of this notice and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."