Should employers care about the final HIPAA rule?
Even companies not covered by the law can never review too often their privacy and security policies and procedures
Q. Don has been reading about there being new rules in place regarding HIPAA, but he is uncertain as to whether his business needs to comply. How does he determine whether the new rules impact him and, if so, of what should he be aware?
A. The first thing a company should determine is whether it is a “covered entity” or “business associate” of a covered entity under the Health Insurance Portability and Accountability Act, or HIPAA.
Individuals, organizations and agencies that meet the definition must comply with the rule’s requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the business associate must also comply. Simply stated, if an entity does not meet the definition of a covered entity or a business associate, it does not need to comply with HIPAA.
Typically, a covered entity is either a health care provider, a health plan or a health care clearinghouse. In addition, a health care provider (physician, chiropractor, dentist, nursing home, pharmacy) is only required to comply if it transmits information about covered transactions (billing, confirmation of coverage) electronically.
If an employer maintains a self-insured health plan that covers more than 50 employees, the plan is a group health plan covered by HIPAA. It is fair to say that most employers who provide health insurance to employees in a traditional insured plan or HMO will not be covered entities simply because they employ people and receive personal health information — for example, in connection with a request for medical leave.
For some time, health care providers and health plan administrators who are covered by HIPAA have been discussing and anticipating the release of a final rule by the U.S. Department of Health and Human Services. HHS described the rule, officially published on Jan. 25, as a move to strengthen the privacy and security protections for health information established under HIPAA. The effective date of the rule was March 26, while the date by which all covered entities and business associates must comply with most of the provisions of the rule is Sept. 23, 2013.
For those covered entities, primarily employers who self-insure health care, health insurers and health care clearinghouses, it is time to review and update policies and procedures. The following compliance action items should be considered:
• Revise business associate agreements to comply with the rule
• Revise and redistribute your notice of privacy practices regarding (a) a patient’s right to restrict disclosure and to opt out of certain disclosures; (b) the types of uses and disclosures that require individual authorization; (c) right to notice in the event of a breach; and (d) rights regarding the use of genetic information for health plan underwriting
• Update security policies for breach notification risk assessments to replace any “harm threshold” analysis with the revised objective standard provided by the rule
• For business associates and subcontractors, make sure your privacy and security policies are HIPAA-compliant
• For business associates, identify all subcontractors who create, receive, maintain or transmit protected health information on your behalf and enter into HIPAA compliant business associate agreements with them
Meanwhile, employers not covered by HIPAA can never review too often their privacy and security policies and procedures. Employee medical information (FMLA, ADA, workers’ compensation) should always be kept in a separate confidential medical file for each employee with access restricted to those who have a legitimate need. Other private information about employees or others with whom a company does business (Social Security numbers, credit card numbers) should be subject to a written information security plan, or WISP, which is required for all residents of Massachusetts (and what New Hampshire company does not employ or do business with Massachusetts residents?) and is considered a necessary best practice for all companies.
In sum, even businesses not subject to HIPAA should carefully consider how it safeguards the private information of their employees and customers. The breaches that result from failure to protect such information adequately can be very costly in terms of financial liability, adverse publicity (remember TJX?) and customer relationships.
Charla Bizios Stevens, a shareholder and director in the Employment Practice Group of the McLane Law Firm, is also state director of the HR State Council of New Hampshire. She can be reached at 603-628-1363 or at firstname.lastname@example.org.