Author: Judi Newman
April 14, 2004, that's the compliance date for the HIPAA Privacy Rule for small health plans. A small health plan is defined as a plan that spends less than $5,000,000 in premium annually if fully insured, or pay less than $5,000,000 in claims annually if self-insured. Are you in compliance?
Note: The following article provides information on HIPAA and its possible implications for agents. The views expressed are those of the author and do not necessarily reflect the views or interpretations of IIABA. As with any law, in order to ensure proper, legal compliance, we encourage you to consult with appropriate qualified counsel before implementing HIPAA regulations in your operations.
IMPORTANT: IIABA has developed an Executive Summary of the Privacy Rule Implementing HIPAA’s Privacy Requirements, and a Memorandum on Final HIPAA Privacy Regulations which was written by our outside counsel. IIABA members may access them by going to www.independentagent.com and clicking on the "Legal Advocacy" menu item on the left.
Defining “Business Associate” for Insurance Agents and Brokers
Compliance with HIPAA HITECH is not an option for business associates. Insurance agents and brokers involved in the sales and service of group health insurance coverage should be aware that they are business associates of covered entities, their clients. The business associate decision tree asks three key questions to determine if a business relationship is that of a business associate. By answering yes to any or all of these questions clearly defines the business associate relationship with your client, the covered entity.
Does the business/vendor or person receive, retain or create Protected Health Information on behalf of the covered entity?
Does the business/vendor or person perform a service involving the use of PHI on behalf of the covered entity?
Does the business/vendor or person perform any HIPAA related activity, i.e.: claims administration or assistance for the covered entity?
American Recovery and Reinvestment Act of 2009
The new Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements, imposed by the Health Information Technology for Economic and Clinical Health Act (the HITECH Act) which is part of the American Recovery and Reinvestment Act of 2009 (ARRA) will have a significant impact on the privacy and security of health care information and the compliance obligations.
The biggest changes will impact HIPAA business associates—the service providers to the health care industry. These companies—for the first time—will be covered directly by most of the HIPAA rules. Meeting these new requirements will be a substantial challenge—and business associates need to develop an appropriate plan to ensure compliance. Although the compliance deadline has come and gone (February, 2010), ignoring compliance requirements is not an option.
HIPAA Background
The passage of the Health Insurance Portability and Accountability Act of 1996 meant many things to many people, at its foundation, the HIPAA law focused on “portability,” the idea that individuals could “take” their health insurance coverage from one employer to the next, without exclusion of pre-existing health conditions acting as an impediment to job transitions.
When Congress passed HIPAA, it also added into the mix a variety of other topics related to the health care industry (such as creating large funding for what has now become more than a decade-long fight against health care fraud). One of the policy mandates adopted in HIPAA was to move toward standardized electronic transactions for the health care industry. With these standardized transactions came a concern about health care information being put into electronic form, with the resulting action of the creation of the HIPAA Privacy Rule and the HIPAA Security Rule.
But this background also led to one key component of these rules: the limits on the applicability of these rules to “covered entities”—the entities (such as doctors, hospitals and health insurers) that might be participating in these standardized transactions. The law mandated the rules—but restricted their application to those covered entities only.
While the covered entities are core participants in the industry, they rely on tens of thousands of vendors to provide them services, with many of these services involving patient information. Therefore, the concept of a “business associate” was born—an entity that provides services to the health care industry where the performance of those services involves the use or disclosure of patient information.
Because the Department of Health and Human Services (HHS) had no direct jurisdiction over these “business associates,” HHS imposed an obligation on the covered entities to implement specific contracts with these vendors that would create contractual privacy and security obligations for these vendors. The failure to execute a contract would mean that the covered entity violated the HIPAA rules. A business associate’s failure to meet a contractual privacy standard would be a breach of that contract—but would not subject the business associate to government enforcement, because the business associate was not regulated under the HIPAA rules. This system has existed since the enactment of the HIPAA Privacy Rule in 2001.
With the passage of ARRA (American Recovery and Reinvestment Act of 2009), which included the HITECH Act, Congress has blown this HIPAA structure to bits. The reason is they are now imposing direct legal compliance obligations on business associates. Although this legislation does not turn business associates into covered entities, it does impose—for the first time—direct accountability on these business associates, with potential civil and criminal liability for a failure to meet these requirements.
Three Critical Changes
While there are many changes to the HIPAA rules by HITECH, three developments stand out from the rest:
Enforcement
The new legislation creates substantial new opportunities for aggressive enforcement of the HIPAA rules. Over the course of the next few years, we can expect these changes to produce a fundamental shift in the overall enforcement of the HIPAA Privacy and Security Rules.
The provisions increase substantially the penalties that are available for violations of the rules, from the current high of $25,000 to as much as $1.5 million. Fines are mandatory in situations involving “willful neglect.”
Breach Notification
At the same time that enforcement actions are given new strength, the legislation also creates a new federal security-breach notification requirement for the health care industry. Most security breaches—including many events that have not historically been thought of as security breaches—now must be disclosed not only to consumers but also to HHS and, in some situations involving larger breaches, even to the media.
Business Associates
The other change that will generate enormous work for the health care industry and its business partners will be a series of provisions that essentially extend full compliance responsibility for the HIPAA Privacy and Security Rules to the business associate category—all of the companies that provide services to the health care industry. The new provisions will obligate these business associates by law to follow most HIPAA provisions. Again, this provision seems to have nothing to do (specifically) with electronic health records. It clearly extends HIPAA coverage to all business associates, whether they deal with electronic health records or not.
Conclusion
Between the extension of the HIPAA rules to business associates, the new enforcement environment and the significant concern and confusion about security breaches, the overall risks from the health care privacy structure are now magnified significantly for business associates. Business associates will need to review these provisions promptly, and identify where their current compliance policies are insufficient for this new environment.
For HIPAA business associates, there are broad new compliance obligations, coupled with significantly enhanced enforcement risks. While these challenges clearly are manageable, they require careful analysis and a thoughtful plan to respond to the many likely issues.
For questions about business associate issues or for other assistance with your HIPAA HITECH compliance plan, you can contact:
Judi Newman
Phaze II Consulting, Inc.
judinewman@aol.com
239-481-6001
Copyright 2010 by Phaze II Consulting, Inc. Used with permission.
All rights reserved. No part of this article may be reproduced in any form or
by electronic or mechanical means without permission from the publisher.