HIPAA Compliance for Group Health Plans – Next Steps for Employers

In three previous posts devoted to the new Final Omnibus Rule under HIPAA we highlighted important changes regarding privacy breach notifications, business associates and business associate arrangements, and increased penalties and enforcement activity. We will complete our series regarding these significant new rules by suggesting steps that employers should begin to take now in order to meet the compliance deadline of September 23, 2013. While these steps are most relevant for employers that sponsor self-funded group health plans, which are considered “covered entities” for HIPAA purposes, we note that employers who provide health benefits to employees through fully insured arrangements must also be mindful of HIPAA requirements.

Review and Update Policies and Procedures

Employers should review their existing privacy and security policies and procedures and update them as necessary to reflect the new rules. Although the new rules do not expand the scope of employers’ obligations in material ways, they do make changes that are likely to affect the way employers (and their group health plan service providers) handle certain existing obligations. At a minimum, health plan sponsors will have to change the way potential privacy breaches are handled. Policies and procedures adopted after the enactment of the HITECH Act (in 2010) focus on the “harm standard” that is eliminated under the new rules. Updated policies and procedures should reflect the presumption that a breach has occurred and should guide the performance of a risk assessment that takes into account the four factors described in the Final Omnibus Rule, which may allow an employer to conclude there is “low probability” that the PHI has been compromised. Since the plan sponsor (acting for the plan) will have the burden of proof to show that a breach did not occur, updated policies should facilitate the documentation of all aspects of the breach analysis.

Inventory Business Associates and Prepare for New BAAs

Employers should review their group health plan service provider relationships in light of the expanded definition of “business associate” under the Final Omnibus Rule. Given the new definition it is possible that service providers who were not considered business associates in the past should now be treated as such. Business associate agreements must also reflect the affirmative, direct compliance obligations described in the new rules. Most well drafted business associate agreements already impose those obligations on business associates, so employers may not see a need for many changes in this regard. Note that the Final Omnibus Rule allows a covered entity to be held liable for the acts of a business associate that is considered its “agent” under common law standards. Employers should be mindful of this and consider adding protective language to affirmatively disavow any agency relationship with a business associate in appropriate cases. (Of course, this will only increase the need to pay close attention to indemnification provisions in business associate agreements.) Employers that do not use their own form of business associate agreement for health plan contracting may find the sample language developed by HHS to be a useful benchmark against which to evaluate the agreements that health plan service providers will inevitably begin to distribute over the next few months.

Update and Distribute the Notice of Privacy Practices

A new Notice of Privacy Practices will have to be prepared and distributed (or posted electronically) by September 23, 2013, in order to inform individuals covered by the group health plan of certain new rights as well as any changes in the employer’s privacy policies and procedures. The new Notices will have to include, among other things, changes in the breach notification rules, new prohibitions against the use or disclosure of genetic information by a health plan for underwriting purposes, and new rights to restrict disclosures of PHI to a health plan where the service was paid in full by the individual as an out of pocket expense.

(Re)Train Your Workforce

The Final Omnibus Rule does not modify the core responsibility of a covered entity to train its “workforce” regarding the privacy and security requirements of HIPAA and the content of the covered entity’s own HIPAA policies and procedures. The changes discussed above, however, all justify retraining the workforce. Since the workforce of most self-funded group health plans is made up of employees of the sponsoring employer, employers must devote the time and effort necessary to provide adequate training to their employers who work with the health plan. Note that an employer is not required to bring in outside resources to conduct training, though many employers find that partnering with their employee benefits legal counsel or other professional consultants is an effective way to accomplish the desired results.

A Word About the “Compliance Deadline”

As noted above, employers should aim to complete their HIPAA compliance efforts by no later than September 23, 2013. That is the date as of which the Office of Civil Rights of HHS will begin its HIPAA enforcement activities. But it’s worth mentioning that the Final Omnibus Rule officially took effect March 26, 2013 (90 days after the publication of the rule in the Federal Register). While a failure to achieve full compliance by September 23, 2013 is not likely to be fatal, we strongly advise all employers to make a substantial and good faith effort to comply within that time frame.