Bookmark and Share
 

Legal Updates

New HIPAA Regulations Require Immediate Attention

Entities covered by the Health Insurance Portability and Accountability Act (“HIPAA”) and their business associates must immediately comply with new regulations concerning the provision of notice in the event of an unauthorized release of certain protected health information (“PHI”).

Under the new regulations, which are formally known as the HIPAA Omnibus Rule:

  1. HIPAA applies directly to “business associates,” such as vendors who contract with healthcare companies;
  2. covered entities and business associates must conduct a four-factor test to determine whether notice of an unauthorized release of certain PHI is required; and
  3. covered entities must update their Notice of Privacy Practices.

Covered entities that have not already updated their policies and practices to comply with the new regulations should make compliance a top priority.

Background

What Is HIPAA?

HIPAA is a federal law that regulates the use and disclosure of PHI.  It does so through provisions known as the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The Privacy Rule gives individuals rights over their PHI and sets rules and limits on who can receive such information.  Under this rule, covered entities are generally required to take reasonable steps to limit the use or disclosure of PHI in any format (i.e., paper or electronic).

The Security Rule requires covered entities to ensure that any electronic PHI is secured and protected from unauthorized access or use.  Under this rule, covered entities must adopt and implement physical, technical and administrative safeguards to ensure that electronic PHI remains private and secure.

The Breach Notification Rule requires covered entities to notify individuals, the media and/or the Secretary of the United States Department of Health and Human Services (“HHS”) in the event of an unauthorized release of “unsecured” PHI.  “Unsecured” PHI is PHI that has not been encrypted or destroyed.  Thus, the unauthorized disclosure of encrypted PHI is not a breach requiring notice under this rule.

Which Entities Are “Covered”?

Covered entities include: (1) health plans; (2) health care clearinghouses; and (3) health care providers that transmit PHI in electronic form in connection with “covered transactions.”  “Covered transactions” include “the transmission of information between two parties to carry out financial or administrative activities related to health care,” such as:

  1. Coordination of benefits;
  2. Health care claims or equivalent encounter information;
  3. Health care payment and remittance advice;
  4. Health plan premium payments;
  5. Health care claim status;
  6. Enrollment or disenrollment in a health plan;
  7. Eligibility for a health plan;
  8. Referral certification and authorization;
  9. First report of injury;
  10. Health care attachments; and
  11. Health care electronic funds transfers (“EFTs”) and remittance advice.

For many entities, it is fairly clear whether or not they are “covered.”  Some circumstances, however, present a closer question.  For example, a company or independent school*  with a medical provider on staff may or may not be a covered entity.  If the staff medical provider treats minor ailments only, without billing a health insurance plan for the treatment, the entity would not be a covered entity.  If, however, the provider submits claims to insurance companies, the entity is at least a “hybrid” entity, with a portion being “covered.”  A detailed discussion of covered entity status is beyond the scope of this article, but we would be happy to discuss any questions related to whether or not your entity is “covered.”**

The New Regulations

The new regulations modify the obligations of covered entities and business associates in several ways.  The key changes are discussed below.

Direct Regulation Of Business Associates; Contract Requirement

The Security Rule and certain requirements of the Privacy Rule now directly apply to “business associates” of covered entities.  “Business associates” include entities that perform support functions for covered entities and, thus, have access to PHI.  Under the new rule, the definition of  “business associate” has been expanded to include subcontractors of business associates and any entity that “creates, receives, maintains or transmits” any PHI on behalf of a covered entity.

The new regulations also govern the terms required to be included in business associate agreements, and require business associates to execute written agreements with their subcontractors.  All new business associate agreements were required to comply with the new regulations by September 23, 2013.  However, business associate agreements entered into before January 25, 2013, must be compliant by September 23, 2014, provided that if such agreements are renewed or modified before this date, then they must be compliant upon renewal or modification.  HHS has made available on its website a model business associate agreement.  The URL is as follows: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.

New Definition Of “Breach”

One of the more salient features of the new regulations is its definition of “breach,” the word used to describe when the security of PHI has been compromised by a covered entity or business associate (and/or its related subcontractors).

Under the new regulations, any acquisition, access, use or disclosure of PHI in violation of the Privacy Rule is presumed to be a reportable breach unless the covered entity or business associate conducts a risk assessment and concludes that there is a low probability that PHI has been “compromised.”  The risk assessment must consider at least the following factors:

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the PHI or to whom the disclosure was made;
  3. Whether the PHI was actually acquired or viewed; and
  4. The extent to which the risk to the PHI has been mitigated.

The previous definition of “breach” focused on whether an individual might have been harmed by the unauthorized access (or risk of access) to PHI.

If a breach affects more than 500 people, covered entities must notify the affected individuals, federal regulators and the media.  However, earlier this year, HHS announced a settlement for $50,000 with a small non-profit organization in Idaho for a breach involving fewer than 500 people, signaling that organizations of all sizes are being watched by federal regulators and therefore must ensure that they have adequate data security protections in place.

Updates To Privacy Notices

The new regulations require covered entities to update their Notice of Privacy Practices in several ways.  For example, they must describe the types of uses and disclosures of PHI that require an authorization and state that the entity is required by law to notify individuals of breaches.  HHS’s Office of Civil Rights (“OCR”) has issued a model privacy notice.  Information about the model notice is available on the OCR website.

Student Immunizations

The new regulations permit covered entities to share proof of student immunization directly with schools without first obtaining written consent from a parent or legal guardian.  While oral permission from parents or legal guardians (or from students over 18 and emancipated minors) is still required, this change reduces the documentation necessary between families and their health care providers or health care plans.  Accordingly, this change should enable schools to more readily obtain any immunization records required by applicable laws.

Recommendations

As a result of these and other changes to HIPAA, we recommend that independent schools and other employers do the following:

  • Assess whether their entity is a “covered entity”;
  • If so, review their HIPAA policies and procedures and revise them as necessary to ensure compliance;
  • Consider implementing policies and procedures requiring the encryption of all portable devices that may contain PHI;
  • Train any personnel who handle PHI or vendor contracts on the changes;
  • Review and revise Privacy Notices to ensure they reflect required changes;
  • Review all vendor relationships to ensure a Business Associate Agreement exists where required;
  • Review all existing Business Associate Agreements for compliance with the new regulations; and
  • Review and comply with the new requirements for breach notifications.

Please let us know if you have any questions about the new HIPAA regulations, or if you would like assistance with any aspect of compliance.

__________________________________________________________________________

* If a school is a recipient of funds under the Family Educational Rights and Privacy Act (“FERPA”), its student health records are not considered PHI pursuant to HIPAA, but rather are covered by rules applicable to “education records” under FERPA.  Most independent elementary and secondary schools do not receive FERPA funding.

** Simply sponsoring a group health plan administered by an outside insurer is usually not sufficient for an employer to become a covered entity under HIPAA as a “health plan.”  If, however, an employer is both a plan sponsor and a plan administrator, as may be the case with self-insured plans, it may be regulated by HIPAA, with the following caveat:  group health plans that have fewer than 50 participants and are self-administered are exempt from the HIPAA rules.