April 12, 2013

New HIPAA Regulations Affect Employers

On January 17, 2013, the Department of Health and Human Services (“HHS”) released new regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). Although the new regulations do not substantially alter the fundamental structure of HIPAA compliance, employers will likely need to make some changes to ensure continued compliance.

The new regulations implement tougher privacy and security provisions for covered entities by lowering the security breach notification standard. In addition to the security breach changes, the new regulations impose additional obligations on business associates. As a result business associate contracts may have to be revised to reflect these new obligations.

Changes to Security Breach Notification Standards

The new regulations establish a lower standard for determining whether an employer is required to notify plan participates of a security breach involving their protected health information. The old standard required notification only if an unauthorized use or disclosure of protected health information “posed a significant risk of financial, reputational, or other harm” to the individual involved. Under the new standard, the employer is required to notify participants of a security breach following any unauthorized disclosure of unencrypted protected health information unless the employer can prove that there is a “low probability” that the protected health information has been compromised based on a four-part risk assessment.

The risk assessment must consider the following factors:

1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
2. The unauthorized person who used the information or to whom the disclosure was made;
3. Whether the protected health information was actually acquired or viewed; and
4. The extent to which the risk to the protected health information has been disclosed.

If, after considering the factors, the employer determines that there is a low probability that the protected health information has been compromised; the employer must document its risk assessment supporting its decision not to notify participants of the breach.

Changes Affecting Business Associates

The final rule also expands the definition of “business associate” to include subcontractors that create, receive, maintain, or transmit protected health information in performing activities on behalf of a covered entity. As a result, subcontractors of business associates now must also ensure compliance with HIPAA.

What Employers Should Do

Although the final rule became effective on March 26, 2013, the earliest compliance deadline is September 23, 2013, with many deadlines falling much later to allow employers to comply. There are a few things employers should do between now and September.

Revise Privacy Notices:

Employers will need to issue revised privacy notices. This notice needs to (1) inform the recipients of their right to receive security breach notifications, (2) inform the recipient of HIPAA’s new prohibition on the use of genetic information for underwriting purposes, and (3) inform the recipient that the employer is required to obtain the subject’s authorization before using protected health information for marketing purposes.  Employers who maintain a benefits website for their employees should take note, as they need to post the revised notice by September 23, 2013.

Review Business Associate Agreements

The new rule modifies the minimum required contents of agreements with business associates who receive protected health information from a covered entity. In addition to previous requirements, business associate agreements must now include provisions that require business associates to (1) comply with HIPAA’s Security Rule, (2) report any security breaches to the covered entity, and (3) enter into “downstream” business associate agreements with any subcontractor of the business associate who receives protected health information.

The regulations can be accessed on the Federal Register’s website at: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.   Please contact D. Ross Hamilton (336) 271- 5279, Denis Jacobson (336) 271-5242, or Sarah Hayward (336) 271-5256 in the employment law and litigation practice groups if you have any questions concerning your compliance with HIPAA. 

 

© 2013 Tuggle Duggins P.A. All Rights Reserved. The purpose of this bulletin is to provide a general summary of significant legal developments. It is not intended to constitute legal advice or a recommended course of action in any given situation. It is not intended to be, and should not be, relied upon by the recipient in making decisions of a legal nature. Moreover, information contained in this bulletin may have changed subsequent to its publication. This bulletin does not create an attorney-client relationship between Tuggle Duggins P.A. and the recipient. Therefore, please consult legal counsel before making any decisions or taking any action concerning the issues discussed herein.