Contributed by Caryl Flannery and Rebecca Dobbs
If your business sponsors a self-insured or fully insured HIPAA-covered group health plan (including medical, dental, vision, long-term care, and employee assistance programs), your duties under HIPAA (Health Insurance Portability and Accountability Act) and exposure to liability just increased significantly. On January 17, the Department of Health and Human Services issued the final rule implementing the 2009 HITECH act which significantly upgraded HIPAA responsibilities and enforcement. The new rule has implications for many employers because it expands the definition of who is covered by HIPAA and adds new protections for employees and penalties for plan sponsors.
Under the new rules, an employer who contracts out health plan services to third parties needs to ensure that those third parties’ obligations as a Business Associate (“BA”) are met. BAs must sign a Business Associate Agreement with the plan sponsor spelling out the safeguards the BA will take to protect PHI and clarifying the BA’s role in the use of the PHI.
Being directly covered by HIPAA carries significant duties including designing policies and systems to ensure that PHI is used only for purposes consistent with the law; implementing safeguards for electronically stored PHI; tracking all disclosures of PHI; instituting additional protections for genetic information; complying with Health and Human Services (HHS) investigations and requests for information; and providing notice to employees whose PHI has been deemed inappropriately disclosed pursuant to the new materially lower “breach” threshold. HIPAA-covered entities are also subject to the newly‑enhanced penalties for breaches. Penalties for willful neglect and failure to correct will be at least $50,000 per violation and could be as much as $1.5 million in a calendar year. Under the new rules, HHS is no longer required to enter into informal resolution with covered entities and may immediately seek penalties through adversarial proceedings.
The new HIPAA requirements are complex and can only be summarized here. For more information on how the new HIPAA rules may affect your business, contact your employment or healthcare attorney. In the meantime, employers should begin taking the following actions:
- Work with your insurance providers to make sure that you have the smallest possible role in collecting, accessing or receiving employee PHI.
- Review existing Business Associate Agreements to ensure that they reflect the new regulations. Monitor all BAs with whom you share PHI.
- Post the revised Notice of Privacy Practices on your benefits website and distribute the notice to plan participants.
- Revise employee documents to eliminate all reference to or requirement for genetic information including family medical history.
- Audit your privacy practices to determine risks and weaknesses in your system then address those areas.