This Month’s Compliance Corner: Primer on HIPAA’s Privacy and Security Rules for Employer-Sponsored Group Health Plans

PDF

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended and expanded by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, authorized the Department of Health and Human Services (“HHS”) to establish federal standards for the privacy and security of individually identifiable health information held by HIPAA covered entities (aka, “protected health information” or “PHI”). To implement HIPAA and the HITECH Act, HHS has issued extensive regulations addressing the requirements of covered entities to protect the privacy and security of PHI.

HIPAA’s requirements generally fall under three main categories: (1) the privacy rules; (2) the security rules (which relate to the protection of electronic PHI); and (3) the breach notification rules. Failure to comply with HIPAA’s privacy, security, or breach notification rules can result in significant consequences that include civil and criminal monetary penalties.

Which Entities Must Comply?

In addition to health care providers and health insurance companies, HIPAA covered entities include employer-sponsored group health plans. For purposes of HIPAA’s privacy and security rules, employer-sponsored group health plans include not only major medical plans, but also dental plans, vision plans, health flexible spending arrangements (FSAs), and health reimbursement arrangements (HRAs). They also may include supplemental welfare benefits like employee assistance programs (EAPs), wellness programs, and telemedicine programs, to the extent such programs provide significant benefits in the nature of medical care or treatment.

On the other hand, if a group health plan provides health benefits only through an insurance contract (i.e., it is fully insured) and neither the plan nor the plan sponsor creates, maintains, or receives PHI (other than plan enrollment/disenrollment information and summary health information for the limited purpose of obtaining premium bids or amending or terminating the plan), then the plan and plan sponsor will be exempt from the vast majority of the administrative burdens imposed by HIPAA’s privacy rules. In such case, the health insurer is solely responsible for compliance with most of HIPAA’s privacy rules, and the plan is only required to comply with the rules prohibiting intimidating or retaliatory acts against participants for exercising their HIPAA rights, and prohibiting requiring any participant to waive their HIPAA rights.

Covered entities, like employer-sponsored group health plans, that use third parties (i.e., “business associates”) to perform functions that require access to PHI must enter into business associate agreements (BAAs) with those third parties. Additionally, with the enactment of the HITECH Act, many of the privacy and security requirements apply directly to business associates in addition to applying to the group health plans or other covered entities for which they provided services.

Key Takeaway à If your company or organization sponsors group health plans (e.g., major medical plans, dental plans, vision plans, FSAs, HRAs, etc.) for its employees, then those plans may be subject to the full array of HIPAA’s privacy and security rules, particularly if any of those plans are self-insured. It is important to note that, for this purpose, FSAs and HRAs generally are considered to be self-insured. If subject to HIPAA, there are a number of documentation, disclosure, and other administrative requirements that likely apply with respect to your company’s plans, as discussed in more detail below in this article.

What Information is Protected?

The privacy requirements generally cover “individually identifiable health information” transmitted or maintained in any form and through any medium (electronic or otherwise). When such information is created or received by a covered entity (or by a business associate acting on behalf of the covered entity), it becomes “protected health information” or “PHI” subject to the privacy rules. The security rules apply to electronic PHI.

Health information that may be PHI includes any information related to (i) the individual’s past, present, or future physical or mental health condition, (ii) the provision of health care to the individual, or (iii) the past, present, or future payment for the provision of health care to the individual. Such health information becomes “individually identifiable” (and, thus, is likely to be PHI in the hands of the plan or its business associate) if there is a reasonable basis to believe that the information can be used to identify the individual to whom the health information relates Employment records that contain individually identifiable health information and that are held by the plan sponsor in its role as an employer are not PHI.

How Does HIPAA Apply to Employer-Sponsored Group Health Plans?

Privacy Rules

HIPAA’s privacy rules require that covered entities (e.g., employer-sponsored group health plans):

• Provide participants with a “Notice of Privacy Practices,” which explains the individuals’ privacy rights and how their health information may be used;
• Adopt and implement written privacy policies and procedures;
• Train workforce members who have access to PHI on the HIPAA policies and procedures and HIPAA requirements in general;
• Design a system of written disciplinary policies and sanctions for workforce members who violate the privacy policies and procedures;
• Designate a privacy official responsible for ensuring that the privacy policies and procedures are adopted and followed;
• Create a process for individuals to lodge complaints and a system for handling such complaints; and
• Refrain from intimidating or retaliatory acts against individuals for filing a complaint or otherwise exercising their HIPAA rights, and refrain from requiring individuals to waive their rights under the privacy rules.

In addition, the privacy rules set forth individuals’ rights with respect to their own PHI, and the privacy rules specify the permitted uses and disclosures of PHI by covered entities and their business associates. Under the use and disclosure rules, covered entities may use and disclose PHI for treatment, payment, and health care operations without an individual’s authorization. In most other cases, use or disclosure of PHI for any other purpose will require individual authorization. Treatment generally relates to the activities of health care providers, and so, it is beyond the scope of this article.

Payment encompasses various activities of group health plans related to obtaining premiums, fulfilling their responsibilities to provide benefits, and obtaining or providing reimbursement for the provision of benefits. Common payment activities include determining health plan eligibility or coverage, adjudicating claims, billing and collection activities, and justifying charges.

Health care operations refers to certain administrative, financial, legal, and quality improvement activities of group health plans, such as: underwriting, insurance rating and other activities relating to creation, renewal, or replacement of a contract of health insurance or health benefits (including stop-loss insurance and excess insurance); conducting or arranging for medical review, legal services, and auditing functions; and business planning, business management, and general administration activities.

Minimum Necessary Standard à One of the key, underlying requirements of the notice and disclosure rules is that covered entities must reasonably ensure that any PHI used, disclosed, or requested is limited to the minimum information necessary to accomplish the intended purpose of the use, disclosure, or request.

Security Rules

HIPAA’s security rules set forth security standards that require covered entities to implement reasonable and appropriate safeguards to protect the security of electronic PHI that they create, receive, maintain, or transmit. All PHI, including electronic PHI, is subject to the privacy rules; however, the security rules’ protections apply only to electronic PHI.

The security rules are divided into three categories of safeguards, each of which contains a set of broadly stated standards and a number of more detailed implementation specifications (which provide instructions for meeting the standards): (1) administrative safeguards; (2) physical safeguards; and (3) technical safeguards. The security rules also specify related organizational and documentation requirements.

Covered entities with access to electronic PHI must comply with all of the standards included in the three categories of safeguards; however, the rules distinguish between “required” and “addressable” implementation specifications under each category. Covered entities must comply with all required specifications, but, in contrast, for addressable specifications, entities must only (i) assess whether the specification is reasonable and appropriate given the entity’s own circumstances, and (ii) implement the specification if the entity deems it reasonable and appropriate. However, if the entity deems it not to be reasonable and appropriate, then the entity only must document the reasons for this determination, and then, if deemed necessary, implement an alternative security measure.

As exemplified by the above process, the security rules are intended to provide a flexible, scalable framework that allows a covered entity to tailor its security measures to its circumstances, rather than prescribing specific methodologies that all entities must employ to achieve compliance. There are, however, certain basic required implementation specifications with which all covered entities must comply. Under the administrative safeguards, one of the required implementation specifications involves conducting and documenting an initial and periodic risk analyses. It is those risk analyses that, among other things, allow covered entities to determine which of the addressable specifications must be applied, which may be disregarded, and which require the adoption of alternative security measures.

Breach Notification Rules

The HITECH Act added new requirements for covered entities to notify affected individuals, HHS, and, in certain circumstances, the media, in the event of a “breach” of unsecured PHI. Similarly, business associates need to provide notification to the covered entity if the business associate discovers a breach.

For purposes of the notification requirements, a breach is the unauthorized acquisition, access, use, or disclosure of unsecured PHI, which compromises the security or privacy of the information, with certain limited exceptions.

Unsecured PHI is PHI that has not been either encrypted or destroyed in a manner prescribed by HHS.

A covered entity or business associate must presume that an acquisition, access, use, or disclosure of unsecured PHI in violation of the privacy rules is a breach. This presumption holds unless the covered entity or business associate demonstrates that there is a “low probability” that the unsecured PHI has been compromised based on a risk assessment that considers at least the following four factors:

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the PHI or to whom the disclosure was made;
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.

If, based on the risk assessment, the covered entity or business associate determines that a breach of unsecured PHI has occurred, then the breach notification requirements are triggered, and stringent rules dictate the timing, method, and content of the notice, and to whom it must be given. Generally speaking, notification to affected individuals, to HHS, and to the media is required within 60 days after the breach is discovered if the breach involves 500 or more individuals in a single state. If fewer than 500 individuals are affected, then the plan must provide notice to the affected individuals within 60 days after discovery of the breach and to HHS within 60 days after the end of the calendar year in which the breach is discovered.