HIPAA Privacy And Security Compliance For Group Health Plan Sponsors

Introduction

This report focuses on the final regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA),1 in January 2013,2 HIPAA enforcement and audit programs, HIPAA-related additional requirements of group health plan sponsors, and the actions that must be taken by group health plan sponsors to ensure compliance with the final regulations and requirements and to prepare for potential audits and enforcement actions.3

The HIPAA privacy and security rules govern the use and disclosure of an individual's protected health information, or PHI.4 The final HIPAA regulations made many changes to the existing HIPAA privacy and security rules that are applicable to covered entities, which include group health plans.5

Action Items for Plan Sponsors

Sponsors of group health plans should take the following steps to ensure compliance with the changes made by the final regulations, discussed in more detail below:

Review vendor list and ensure a business associate agreement is in place with all individuals or entities that meet the definition of business associate under the final regulations. Review existing business associate agreements and ensure the agreements comply with the final regulations. For example, ensure any business associate agreement requires business associates to enter into a business associate agreement with any subcontractors who are business associates under the final regulations that is at least as stringent as the business associate agreement between the group health plan and the business associate. Establish or review existing HIPAA policies and procedures, and train employees on these policies and procedures. These policies should include HIPAA-compliant forms such as authorization forms, access request forms, accounting request forms, and personal representative forms. Review breach notification and identification policies to ensure any breaches under the new standard are being reported. Breach notification and identification policies should include a risk assessment that evaluates at least the four factors mandated by the final regulations. Consider breach reporting requirements when entering into or revising business associate agreements, and ensure business associates are adequately assessing breaches and are required to notify the group health plan in enough time to give the plan adequate time to fulfill its obligations regarding breaches. Practice Tip: Keep in mind that state breach laws may be more stringent than the requirements under HIPAA. Thus, research applicable state laws and be sure and comply with them if they are more stringent. Review the plan's notice of privacy practices and any policies regarding electronic posting of the notice of privacy practices to ensure compliance with the final regulations. Ensure updates due to material changes are distributed in compliance with the final regulations. Business Associates

Many of the changes made by the final regulations apply to business associates.6 The final regulations extend many of the privacy and security requirements directly to business associates, along with penalties for noncompliance.7 In addition, the final regulations expand the definition of business associate.8 A business associate is now defined as a person who, on behalf of a covered entity, creates, receives, maintains, or transmits protected health information for a function or activity covered by the final regulations.9

The expanded definition now explicitly provides that a business associate includes a subcontractor of a business associate who creates, receives, maintains, or transmits protected health information on behalf of the business associate.10 As a result of the expanded definition of a business associate, business associate agreements governing the use and disclosure of protected health information should now be entered into by a business associate and any subcontractor who meets the definition of a business associate under the final regulations.11 This requirement extends down the line to any subcontractor of a subcontractor who meets the business associate definition. Any business associate agreements entered into by business associates and subcontractors must...