Attorney John Barlament explains employer health plans under the new HIPAA rules and action steps for compliance, April 2013 ©2015 Quarles & Brady LLP. This document provides information of a general nature. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations or issues. Additional facts and information or future developments may affect the subjects addressed in this document. You should consult with a lawyer about your particular circumstances before acting on any of this information because it may not be applicable to you or your situation.

1. www.quarles.com
Employer Health Plans
Under the New HIPAA
Rules: Action Steps for
Compliance
John Barlament
Quarles & Brady LLP
john.barlament@quarles.com
414.277.5727
1

2. Topics for Today
www.quarles.com
 Four main areas of HIPAA Administrative Simplification
 Enforcement strengthened and penalties increased
 Applying Security Rules to business associates (“BAs”)
 New breach notification rules
 New Privacy Rules
 Highlight where new regulations make changes
– For many items, new regulations made limited changes
2

3. Overview
www.quarles.com
 HIPAA enacted in 1996 and contained several parts
 Title I: Portability
– Pre-existing condition limitations
– Nondiscrimination rules
 Title II: Administrative Simplification – Core
Requirements
– Standard Transaction Rules
– Privacy Rules
– Security Rules
– Breach Notification Rules
 Administrative Simplification Rules amended several
times, including by HITECH Act in 2009 and health
care reform
3

4. Which Plans are Affected?
www.quarles.com
 Rules generally apply to “health plans”
– Major medical; dental; vision; health reimbursement
arrangement (“HRA”); health FSA
– Need to examine employee assistance plan (“EAP”) and
wellness plan separately
 Some may provide medical benefits, but not all will
 Complex area and some disagreement
– Does not usually apply to:
 Health savings accounts (“HSAs”) (although theoretically possible)
– Would apply to related high deductible health plan
 Self-administered plans with less than 50 “participants”
 Non-health plans (e.g., disability)
– Can be subject to other laws – e.g., ADA has privacy rules
4

5. Core Requirements Remain Same
www.quarles.com
 Standard Transaction Rules: Intended to put the
“simplification” in Administrative Simplification Rules
– When covered entities talk electronically, use same codes
 E.g., use a common identification number for various hospitals
and clinics
 Claims for benefits follow same electronic format
 Privacy: Use and disclosure rules for protected health
information (“PHI”)
– Administrative requirements for employers on behalf of health
plans
– Privacy rights for individuals
5

6. Core Requirements
www.quarles.com
 Security Rule: Applies to electronic PHI (“ePHI”)
– Administrative, physical, technical safeguards
 Some are “required”, others “addressable”
– Organizational, documentation requirements
 Breach Notification: Breach of “unsecured” PHI
– New regulations provide changes to “breach” definition
 No longer use “significant risk of financial, reputational or other
harm”
6

7. How Rules Apply to Group Health
Plans
www.quarles.com
 “Basic” rules for employers and their plans remains
same
 Fully-insured plans (usually “hands off” PHI): Minimal
obligations
– Theoretically state no discrimination
 Self-funded plans (usually “hands on” PHI): Significant
obligations
– Amend plan document so employer follows HIPAA
– Create policies and procedures; train “workforce”
– Various administrative requirements (e.g., identify BAs)
 Vast majority of new regs do not apply “differently” to
health plans than to other covered entities
7

8. Overview – Health Care Reform
www.quarles.com
 Health care reform made some changes also
 New Standard Transactions
– Electronic funds transfer (regulations 1/2012; effective 1/2013)
 Employers / plan sponsors should have verified in 2012 that
current business associate agreement included this
 Follow Operating Rules
– Staggered effective dates
– Eligibility for health plan and health care claim status
regulations issued in 2011
 Effective January 2013
– Others take effect in 2014 and 2016
8

9. Overview – Health Care Reform
www.quarles.com
 Unique health plan identifier
– 9/2012 HHS issued final regulations
– Health plans apply for a unique number for Standard Transaction purposes
– Large health plans need one by 11/2014
– Small receive extra year; both use by 11/2016
 New “employer certification” requirement by end of 2013
– Certify compliance with certain Transactions and Operating Rules
– No regulations yet (so details unknown)
– Penalty range as low as $1 per covered life per day
– Put into updated business associate agreements (“BAAs”)?
 “Other” health care reform HIPAA changes not covered here
– E.g., increasing wellness plan discount / penalty from 20% to 30% - 50%
9

10. New Regulations
www.quarles.com
 Very long but maintain many prior proposed changes
 Most changes effective September 23, 2013
– E.g., updates to notices of privacy practices and policies and
procedures (discussed later)
– General “catch-all” provision would not be sufficient
 Changes to business associate agreements (“BAAs”):
– Complicated rules for whether effective date of updated BAAs
is 9/2013 or 9/2014
– However, extra year relief hinges on whether BAA complied
with HIPAA as in effect on 1/25/2013
10

11. New Regulations
www.quarles.com
– Employer may not be 100% certain, so may want to update all
by 9/2013 (not 9/2014)
 HHS published new sample BAA which is “better” than
prior sample
– http://www.hhs.gov/ocr/privacy/hipaa/understanding/covereden
tities/contractprov.html
– Still leaves out some items (e.g., Standard Transaction Rules)
– Also does not include some other items employers / plans may
want
 E.g., no sending of PHI offshore; who determines if there is a
breach; who pays if a breach, etc.
11

12. Applying Rules to Business
Associates
www.quarles.com
 Commentators complained of “gap” in health privacy
– BAs only indirectly covered
 HITECH now directly applies most HIPAA Security
Rules (and some Privacy Rules) directly to BA
 New regs: “Subcontractors” also must comply
– And subcontractors of subcontractors, etc.
– Can create contracting issues
 E.g., plan requires BA to notify it of breach within 10 days
 BA has Subcontractor 1
 Subcontractor 1 has Subcontractor 2
 Will agreement between Sub 1 and Sub 2 allow sufficient time
for breach at Sub 2 to reach plan within 10 days? Do Sub 1
and Sub 2 (or Sub 3 or Sub 4) even know of 10-day
requirement?
12

13. Applying Rules to Business
Associates
www.quarles.com
 Many business associates will also have a health plan
– So, will have two “levels” of HIPAA compliance – as a BA and
as a sponsor of a health plan
– Some entities covered in three ways (provider; BA; sponsor of
plan)
 Policies and procedures will not be identical (but could have
significant overlap)
 Note: Still no direct duty under HIPAA for plans to
monitor their BAs
– However, ERISA does have a similar fiduciary duty
13

14. New Breach Notification Rules
www.quarles.com
 If: (1) covered entity or business associate
accesses, maintains, retains, modifies, records, stores,
destroys or otherwise holds, uses or discloses
“unsecured protected health information” and (2) there
is a “breach” of such information; and (3) the breach is
“discovered”; then (4) notification rules apply
 Covered entities and business associates follow rule
14

15. New Breach Notification Rules
www.quarles.com
 New regs: For this (and other obligations) plan can require
BA (e.g., third party administrator (“TPA”)) to conduct on
behalf of plan
–
–
–
–
If so, must include in BAA
Plan still liable (so consider indemnification?)
Caution: BAs may have a “bias”
Recommend that employer / plan reserve right to determine if
“breach” occurred
– Also, recommend “quick” report to plan
 “Accesses, maintains…unsecured PHI”:
– Terms not well-defined but seems broad
– “Unsecured PHI” – PHI not secured through technology or
methodology approved by HHS
 4/17/09 HHS guidance “safe harbor” for data: in motion; at rest; in use;
disposed.
– Encryption (NIST approved)
– Destruction (shredded or purged)
 Note: Can have a “breach” of paper PHI or electronic PHI
15

16. New Breach Rules – Defining
“Breach”
www.quarles.com
 “Breach” is: (1) acquisition, access, use or disclosure
(2) of PHI (3) in manner not permitted under Privacy
Rules (4) which “compromises” the security or privacy
of the PHI
– E.g., benefits department employee is curious about coworker’s medical situation and reviews (accesses) medical
record
– E.g., explanation of benefits (“EOB”) sent to wrong person and
actually opened
 Prior standard from 2009 regulations now eliminated
– “Significant risk of financial, reputational or other harm”
16

17. Defining “Breach”
www.quarles.com
 Old standard replaced by somewhat-vague
“compromised” standard
– Does not require that every improper use or disclosure be
treated as a “breach”
 Covered entity and business associate assume breach
occurred if improper use or disclosure
 Both assess probability that PHI has been
“compromised” based on a risk assessment
– Must consider at least four factors
17

18. Defining “Breach”
www.quarles.com
 (1) Nature and extent of PHI involved
– Including types of identifiers and likelihood of re-identification
 (2) Unauthorized person who used PHI or to whom the
disclosure was made
 (3) Whether PHI was actually acquired or viewed
 (4) Extent to which the risk to the PHI has been
mitigated
 All should be documented
– Plan may want BA to do assessment and provide it to plan
– HHS considered, but rejected, idea that third party determines
if “breach” occurred
– New regs: Burden of proof on plan / BA to prove no breach
occurred
18

19. Exceptions to “Breach”
www.quarles.com
 Does not include unintentional acquisition, access, use
or disclosure of PHI by workforce member (or acting
under authority) if done in good faith and within scope
and not further used or disclosed
– New regs: Does not include “snooping employees”
 “Breach” also does not include certain inadvertent
disclosures at covered entity or BA if information not
further used or disclosed
 “Breach” does not include disclosure where person
would not have reasonably been able to retain it
 New regs: Also may be other situations (above is not
exhaustive list)
19

20. Breach Rules – What Happens if
Breach Occurs
www.quarles.com
 Generally notify affected individuals
– Usually within 60 days after breach “discovered”
 Includes discovery by an agent – clarify in BAAs that BA is not an
“agent”?
 HHS notification usually required after end of year
 If “major” breach of 500+, notify HHS within 60 days
and media
– For both, consider impact to employer’s brand / employee
relations issues
20

21. Breach Rules – Include in Content
of Notification
www.quarles.com
 Brief description of what happened, including date of
breach and date discovered
 Types of unsecured PHI involved (e.g., name, Social
Security number, date of birth, home address, account
number)
 Steps individual should take to protect from potential
harm
 What covered entity is doing to investigate the
branch, mitigate losses and protect against further
breaches
 Contact procedures for individuals to ask questions;
shall include toll-free phone number, email
address, web site or postal address
 All written in “plain language”
 Require BA to provide if BA causes breach?
21

22. New Access Rules
www.quarles.com
 Individuals have right to access and obtain copy of PHI
in designated record set
 Health plan previously had to respond within 60 days
– 30 day extension also available
 New regs: Must respond within 30 days
– 30 day extension still available
– Will likely require changes to policies / procedures
 New regs: Plan must, if requested by
individual, transmit copy of PHI directly to another
designated person
– Request to do so “must” be in writing, signed by individual and
must clearly identify recipient
 Can still charge reasonable, cost-based fees
– New regs: No standard “retrieval fee”
– New regs: Can include cost of CD (if that is what individual
requests)
22

23. New Access Rules
www.quarles.com
 New Regs: If individual requests electronic copy of
PHI and if PHI maintained electronically, plan must
provide access to it in electronic form and format
requested
 If not possible, provide “machine readable” copy
– Includes Word, Excel, text, HTML, PDF
 Consider risks of allowing direct download on
individuals’ portable devices
 Employer probably does not have entire “designated
record set”
– Coordinate with TPA and other BAs (if self-funded)
– If employer’s health plan is fully-insured, likely forward
employee to insurer
23

24. Restriction Request Rules
www.quarles.com
 Individual can make restriction request under 164.522
– and covered entity usually need not follow it
 Under HITECH, covered entity must comply with
request if:
– Disclosure is to a health plan for purposes of carrying out
payment or health care operations (but not treatment) and
– PHI pertains solely to a health care item or service for which
the health care provider has been paid out of pocket in full
 Preamble to new regs: Rule only applies to providers
(not health plans)
– But, wording of regs not so limited
– Recommend updating health plan policies and procedures to
include
24

25. Guidance on “Minimum
Necessary”
www.quarles.com
 Currently, most uses and disclosures of PHI must be of
“minimum necessary” amount
– Not always easy to know what “minimum necessary” means
 New Regs: BAs directly subject to rule
– Also includes requests a BA makes of another BA
– Parties may want to address in BAA
 Sample BAA from HHS has some language
– Future guidance expected
25

26. Prohibiting Sale of PHI
www.quarles.com
 Covered entity and BA cannot “directly or indirectly
receive remuneration” in exchange for any PHI unless
covered entity obtained valid authorization from
individual (and authorization must specify that
remuneration is acceptable)
 Are some exceptions (e.g., can receive a few dollars
form individual for copying medical records;
research, treatment)
 Will health plans ever “sell” PHI?
– Not typical but cannot rule it out
– Do include in BAA
26

27. Marketing of PHI
www.quarles.com
 Covered entity generally needs authorization for
“marketing” (communication encouraging purchase or
use of product)
 Several exceptions
– E.g., to provide refill reminders about current drug
(remuneration limited to cost of communication)
– Care coordination (no remuneration)
– Description of plan benefits (no remuneration)
– Non-plan products and services available to enrollees (no
remuneration)
– Is this broad enough to cover everything a health plan does?
27

28. PHI of Decedents
www.quarles.com
 New regs: Ceases to be protected after individual is
deceased for 50 years
 New regs: Can disclose decedent’s PHI to family
members or others involved in decedent’s care or
payment for care
 Modest change for health plans
– May be difficult to track
– Should probably include in notice of privacy practices
– Discuss with TPA (if self-funded) whether TPA can track this?
Or just ignore it because it is optional?
28

29. GINA
www.quarles.com
 New regs also address Genetic Information
Nondiscrimination Act (“GINA”)
 Maintain current rule that genetic information is generally
PHI
– Update definition of “PHI”
 Adopts proposed rule from 10/2009 that genetic
information cannot be used for underwriting purposes
– Includes: (1) rules for, or determination of, eligibility; (2)
computation of premium or contribution amounts; (3) application
of pre-existing condition exclusion; (4) other activities related to
creation or renewal
29

30. GINA
www.quarles.com
 Plan cannot include genetic information in summary
health information it discloses to plan sponsor so
sponsor can obtain premium bids
 Plan can use and disclose genetic information to
determine medical appropriateness (e.g., whether to
have mammogram before age 40)
 If plan engages in “underwriting”, state in notice of
privacy practices that it cannot use genetic information
for such activity
30

31. Notices of Privacy Practices
www.quarles.com
 Will likely need to be updated
 New regs confirm that should inform individuals of
breach notification rights
 Also must state authorization usually needed for:
–
–
–
–
Most uses and disclosures of psychotherapy notes
Uses and disclosures for marketing
Sale of PHI
Other uses and disclosures not described in notice made only
with authorization from individual
 Other changes as noted previously
 Some new distribution rules
– If have web site, post by effective date
 But does a plan ever have a web site?
– If not, provide it within 60 days of material revision
31

32. Policies and Procedures
www.quarles.com
 Will almost certainly need to be updated
 Some changes (e.g., definition of “breach”) unexpected
and almost certainly not in existing procedures
 Remember to re-train after changes made
32

33. Business Associate Agreements
www.quarles.com
 Possible but unlikely that no changes needed (e.g., if
general terms used – no set definition of “breach”)
– If go this route, may need to do analysis of all BAAs
– Even if “template” used as starting point, may have changed
during negotiations
 Given HIPAA enforcement, good idea to re-visit them
all and make items more clear
33

34. Questions and Answers
www.quarles.com
Thank you for attending
John L. Barlament
Quarles & Brady LLP
411 E. Wisconsin Avenue
Suite 2350
Milwaukee, WI 53202
john.barlament@quarles.com
20861885
34