Will You Meet the September 23, 2013 Deadline for HIPAA Compliance?
On February 17, 2009, the Health Information Technology for Economic and Clinical Health Act ("HITECH") was signed into law. This was the first major amendment to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). On January 17, 2013, the U.S. Department of Health and Human Services ("HHS") issued final rules implementing and clarifying various components of HITECH (the "Final Rule"). The Final Rule has broad implications for employers who sponsor health plans for employees. The Final rule imposes new penalties for violations of HIPAA and provides new rights to employees who participate in an employer’s health plan.
HIPAA compliance for health plans is complicated. It is important to note that the definition of a "health plan" under HIPAA is broad (i.e., any plan that provides or pays for the cost of medical care) and could include, as an example, flexible benefit plans, wellness programs, employee assistance programs, and medical reimbursement accounts.
With some limited exceptions, the vast majority of health plans are governed by HIPAA. One should think of plans as placed somewhere on a continuum. On one end of the continuum, there is an exception from HIPAA for a health plan having less than 50 participants if it is administered and funded solely by the employer. On the other end of the continuum, if the health plan is fully-insured and only shares summary information with the employer, the plan (although technically still governed by HIPAA) is exempt from most of the HIPAA requirements, with the understanding that the insurer assumes the plan’s HIPAA responsibilities. Plans that fall between those points on the continuum (such as self-insured plans administered by a third-party administrator ("TPA") or plans with more than 50 participants) are defined as "covered entities" subject to HIPAA.
Regardless of the type of plan, however, it needs to be noted that the employer is not the covered entity - the health plan is the covered entity. However, unlike other covered entities under HIPAA (such as medical providers), the health plan does not have its own employees and facilities. Instead, the health plan relies on the employer (i.e., plan sponsor) to perform any actions required of the plan – such as complying with various laws. In many cases, a health plan will contract with a TPA to perform certain services; however, even if a TPA is involved, the plan (and, thus the employer, as plan sponsor) remains ultimately responsible for HIPAA compliance.
In accordance with the Final Rule, health plans governed by HIPAA need to amend their current privacy and security policies and procedures to incorporate new provisions relating to breach notification obligations, new business associate obligations, new restrictions on disclosure, new protections related to genetic information, and various other new obligations for the health plan, as well as various new rights for the participants. Business associate agreements and notices of privacy practices will similarly need to be revised. The revised notices of privacy practices will need to be made available to all participants and the covered entity’s workforce will need to be trained on all the revised policies and procedures. The deadline for compliance with the Final Rule is September 23, 2013.
Please contact a member of Koley Jessen’s Employment, Labor and Benefits Practice Group if you have questions related to any of the above.