At approximately one-half the length of War and Peace, the recently published Omnibus Final Rule, which modifies the HIPAA Privacy, Security and Enforcement Rules and implements the HIPAA Breach Notification Rule, can overwhelm in-house employment, benefits, and privacy counsel as well as human resources and benefits professionals trying to discern the Rule’s practical implications for employers who sponsor HIPAA-covered plans, which are “covered entities” under HIPAA. Like most HIPAA-related guidance, the Omnibus Final Rule tends to focus on health care providers, with only a small portion of the ample regulatory commentary aimed at the employer community. Moreover, a detailed reading of the Omnibus Final Rule reveals dozens of technical changes with little or no practical impact on employers and numerous granular modifications that may be relevant to employers, if at all, only with limited frequency.
Stepping back from this superabundance of detail, we have identified the following five “big picture” takeaways for employers who sponsor HIPAA-covered plans:
- Not That Much Has Changed For Employers: Although the Omnibus Final Rule modifies all current sets of HIPAA regulations and adds to them, the compliance framework remains fundamentally unchanged for employers. HIPAA’s coverage of employee health benefits information has not been materially expanded; employers have substantially the same compliance obligations; and plan participants have substantially the same rights with respect to their protected health information (“PHI”).
- Slow Down; Employers Have Some Time To Comply: The earliest compliance deadline is September 23, 2013. Employers generally will have additional time to comply with the changes likely to have the greatest impact on them, i.e., the distribution of updated privacy notices and the modification of business associate agreements (discussed in more detail below).
- Not Every “HIPAA Violation” Is A Security Breach: The Interim Final Rule on breach notification contained a “harm threshold,” which excluded from HIPAA’s security breach notification obligation any unauthorized use or disclosure of PHI that did not pose a significant risk of financial, reputational, or other harm to the plan participant or patient. During the more than two years that the Omnibus Final Rule had been pending, there was much speculation that the Department of Health and Human Services (HHS) would eliminate this harm threshold. The practical effect of such a modification would have been to substantially increase covered entities’ security breach notification obligations because almost any unauthorized use or disclosure of PHI — such as a misdirected e-mail, fax, or letter containing PHI — would trigger a notice obligation. While the Omnibus Final Rule eliminates the harm standard, the revised regulation still contains a brake on the security breach notification obligation. Now, a covered entity confronted with an unauthorized use or disclosure of PHI can avoid providing notice of a security breach if, after conducting a risk assessment that at a minimum addresses four factors identified in the Omnibus Final Rule, determines that there is a low probability the PHI has been compromised. The four risk factors include the following: (1) the nature and extent of the PHI involved; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated. This new “low probability” standard provides an important check on the potential security breach notification obligations of employers who sponsor HIPAA-covered plans.
- Employers Will Need To Issue Revised Privacy Notices: While not fundamentally changing employers’ HIPAA compliance obligations, the Omnibus Final Rule does make some changes deemed sufficiently material by HHS to warrant mandatory distribution of an updated notice of privacy practices. The revised notices will need to inform recipients of (a) their right to receive security breach notification, (b) HIPAA’s new prohibition on the use of genetic information for underwriting purposes, and (c) the requirement that the employer obtain the subject’s authorization before using PHI for marketing purposes and before selling PHI. Fortunately, the deadline for distributing these revised notices should align with most employers’ 2013 open enrollment season. Under the Privacy Rule, employers who maintain a benefits website must post the revised notice by September 23, 2013, and include the revised notice in their next annual mailing to plan participants. Employers who do not maintain a benefits website but wait until September 23, 2013, for their revised privacy notice to become effective will have until December 22, 2013, to distribute the updated notice.
- Employers Should Review And Possibly Amend Business Associate Agreements: The Omnibus Final Rule modifies the minimum required contents of agreements with service providers, known in HIPAA parlance as “business associates,” who receive PHI from a covered entity, such as third-party administrators and insurance brokers. In addition to previously required provisions, these business associate agreements must now include provisions that require business associates to (a) comply with the HIPAA Security Rule’s requirements, (b) report any security breach to the covered entity, (c) enter into a business associate agreement with any subcontractor that receives the covered entity’s PHI, and (d) comply with the provisions of the HIPAA Privacy Rule applicable to any obligation which the covered entity delegates to the business associate, such as the obligation to provide an individual with access to his or her PHI. Fortunately, many employers who sponsor HIPAA-covered plans started to include in their business associate agreements provisions addressing these requirements after the HITECH Act was enacted in February 2009 or went into effect the following year. For those business associate agreements that do not contain some or all of these newly required provisions, the covered entity has until September 22, 2014, to amend the agreement unless the existing agreement is modified after September 23, 2013, in which case any previously omitted provisions must be included in the updated agreement.
It is worth noting that the Omnibus Final Rule does implement fundamental changes for business associates and their subcontractors. These entities must now comply with the HIPAA Security Rule when they receive PHI in electronic form and, for the first time, are subject to direct regulation by HHS. In addition, business associates must now enter “downstream” business associate agreements with their subcontractors who receive PHI. However, the Omnibus Final Rule expressly provides that covered entities do not have any compliance obligations with respect to the subcontractors of their business associates.
The massive Omnibus Final Rule, of course, contains other regulatory revisions that are relevant to employers who sponsor HIPAA-covered health plans. We will be addressing those changes comprehensively in future publications at this site. In the meantime, the five key takeaways described above are the changes with the most significant practical impact on HIPAA-covered employers.
Photo credit: peepo