HIPAA Privacy Forms Package Now Available for Business Associates

February 15, 2010

The American Recovery and Reinvestment Act of 2009 (“Act”) makes some of the HIPAA privacy and many of the security standards, as well as the civil and criminal penalties for violating those standards, directly applicable to business associates in the same manner as they apply to covered entities (which include health plans). While business associates already are required to have certain privacy and security safeguards in place under business associate contracts with a covered entity, they will now be directly responsible under the privacy and security standards.

Many of these new provisions become effective on February 17, 2010.

Who is a “Business Associate”?

A “Business Associate” is an entity that:

  • performs a function or activity on behalf of a covered entity or provides certain specific services for a covered entity; and
  • has access to individually identifiable health information.

HIPAA Privacy Form Package

To comply with the new requirements, I have created a special HIPAA Privacy Forms Package for Business Associates.  This forms package contains the following documents:

  • A HIPAA Privacy Policy and Procedure,
  • A HIPAA Security Standards Checklist,
  • A HIPAA Training Acknowledgement,
  • A Notice of Privacy Practices,
  • A HIPAA Privacy Compliance Checklist,
  • An Authorization for Release of Information, and
  • A Business Associate Agreement.

There are over forty (40) pages of documents in this package. It has been specially designed for third party administrators, brokers and others  to comply with the new requirements.  The forms have been designed to be easy to use and complete.  If you order, they will be provided to you in a word file and can be reused.

How do I order?

Please  send e an email and a check for $600 to:

Larry Grudzien
Attorney at Law
708 So. Kenilworth Ave.
Oak Park, IL 60304

As soon as I receive your check, I will send you a copy of the HIPAA Privacy Forms Package.

This forms  package will provide you with a quick and easy way to comply.  If you have any questions or would like a sample, please send me an email.

Questions????????????

If you have any questions before or after ordering the forms package, please call or e-mail.  My email address is:

larry@larrygrudzien.com

New Law Increases Requirements Under The HIPAA Privacy Rules For Business Associates

March 5, 2009

The American Recovery and Reinvestment Act of 2009 (ARRA) approved by Congress on February 13, 2009 and signed into law by the President on February 17, 2009, makes a number of modifications to the Health Insurance Portability and Accountability Act (HIPAA) regarding privacy and security rules.

The legislative changes that affect HIPAA create many new requirements, enforcement provisions and penalties for covered entities, business associates, vendors and others.  Many changes are focused on HIPAA’s privacy and security requirements and will require businesses to change the way they currently do business.  There are significant changes to all Covered Entities (defined under HIPAA as health care providers that conduct certain electronic transactions, health care clearinghouses, and health plans), but are most challenging for Business Associates (individuals or corporate persons that perform ANY function or activity involving the use of Protected Health Information (PHI), who now face a host of new requirements.

Business Associates Required to Comply with HIPAA Privacy and Security Rules

Under HIPAA, Business Associates have been  not directly regulated and have not been subject to HIPAA’s penalty provisions.  Because HIPAA only requires a contract between the Business Associate and the HIPAA-covered entity, the only sanctions Business Associates faced for failure to protect health information was a breach of contract claim.  However, ARRA makes significant changes to the way Business Associates are treated under HIPAA.

ARRA specifies that any entity that engages in health information exchanges or provides data transmission of PHI (including Personal Health Record (PHR) vendors and health information exchanges) is considered a Business Associate.  As such, these entities must enter into a business associate contract with the covered entity and will be subject to ARRA’s civil and criminal penalty provisions.

Additionally, ARRA requires that the administrative, physical and technical safeguards and the policy, procedure and documentation requirements of HIPAA’s security rule apply to Business Associates of a covered entity in the same manner as they apply to the covered entity.  These additional requirements must be incorporated into Business Associate contracts and agreements and include notification provisions for a breach and the application of ARRA’s criminal and civil penalties.   With regard to HIPAA’s privacy rules, Business Associates are prohibited from using or disclosing any PHI in a manner which is not in compliance with the Business Associate contract or agreement required terms under HIPAA.  These changes become effective February 17, 2010 (one year after the enactment of ARRA).

Notice to Individuals of Privacy and Security Breaches

ARRA also imposes certain notification requirements on covered entities and Business Associates in the event of a breach of “unsecured protected health information.”  A breach is defined as “the unauthorized acquisition, access, use, or disclosure of protected health information which comprises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not reasonably have been able to retain such information”.  Unsecured protected health information is defined as protected health information that the covered entity or Business Associate has not secured via standards approved by the Secretary of Health and Human Services (Secretary).

Generally, the notification of a breach must be provided “without unreasonable delay”, but in no case later than 60 days after the discovery of the breach or when the breach should reasonably have been discovered.  Since the 60 days is the outer limit for notification, if the full 60 day window is used, the covered entity or Business Associate involved in the breach must be prepared to justify their reasons for not providing notification of the breach sooner.  However, notice of a breach may be delayed provided that notification would hinder a criminal investigation and/or injure national security (as determined by a law enforcement official).

For Business Associates that discover a breach, the Business Associate must notify the covered entity of the breach or potential breach and the identify of all individuals affected or potentially affected.  For covered entities, notification must be made to individuals whose unsecured protected health information has been accessed, acquired or disclosed or is reasonably believed to have been accessed, acquired or disclosed as a result of a security or privacy breach.  In general, notification to affected individuals must be sent via first class mail.  However, where a breach involves 10 or more individuals whose contact information is out-of-date or deficient, notification must be posted to the covered entity’s website or published in major print or broadcast media. For a breach that involves 500 or more individuals, the covered entity involved in the breach must also give notice to prominent media outlets in the applicable jurisdiction or state.

Notice of all breaches must be provided to the Secretary.  If the breach affects 500 or more individuals, the covered entity involved in the breach must immediately notify the Secretary.  For breaches that affect less than 500 individuals, the covered entity involved in the breach may notify the Secretary of any breaches on an annual basis.

To the extent possible, all notices must contain:

1. A brief description of what happened, including the date of the breach and the date of the discovery of the breach (if known);

2. A description of the types of unsecured protected health information involved in the breach (e.g., social security number, date of birth);
3. The steps individuals should take to protect themselves from potential harm as a result of the breach;

4. A brief description of what the entity involved is doing to investigate the breach, to mitigate losses and to protect against further breaches; and

5. Contact procedures for individuals to ask questions or receive additional information, including a toll-free telephone number and an e-mail address, web site or postal address.

Expansion of Accounting of Disclosures

ARRA changes the existing limitations on accounting for disclosures of health information to individuals who request the disclosure.  If a covered entity uses or maintains an Electronic Health Record (EHR), then individuals will be allowed to receive an accounting of the disclosures of PHI for treatment, payment and health care operations made from the EHR.  The period of mandated disclosure is limited to the 3 year period prior to the individual’s request.  A reasonable fee may be charged to the requesting individual, provided the fee is not greater than the labor costs involved in complying with the request.

The Secretary is required to adopted regulations that specify the information to be contained in the accountings within 6 months of ARRA’s enactment.  Covered entities that began using EHR prior to January 1, 2009 will be required to provide the accounting upon request effective January 1, 2014.  Covered entities that begin using EHR after January 1, 2009 will be required to provide the accounting upon request effective January 1, 2011.

Mandatory Restrictions on Disclosure of PHI when Requested by Individuals

Under ARRA, individuals are given the right to restrict the disclosure of PHI related to treatment, payment and health care operations provided:

1. The restriction relates to disclosure for purposes of payment or health care operations;

2.  The restriction does not relate to disclosure for purposes of treatment; and

3. The PHI relates only to an item or service for which the provider has already received payment in full.

Right of Individuals to Receive Electronic Records

If a covered entity maintains EHRs that contain PHI, ARRA provides individuals with the right to obtain a copy of their records in an electronic format or to request that the record be transmitted to a third party.  The covered entity may not charge the individual requesting the copies more than the total cost of labor incurred by the entity in transmitting the copies.

Clarification of the Minimum Necessary Standard

Pending additional guidance from the Secretary, a covered entity will be considered to be in compliance with the minimum necessary standard if, to the extent possible, the covered entity limits the disclosure to a limited data set or to the minimum data necessary to accomplish the intended purpose of the disclosure or use of the information.  The Secretary is required to issue guidance within 18 months of ARRA’s enactment.

Increase Use of De-Identifed Information

ARRA requires the Secretary to issue guidance on how covered entities can comply with requirements related to the use of de-identified PHI.  Such guidance must be issued within 1 year of ARRA’s enactment.

Enforcement and Penalties

ARRA authorizes the Secretary to conduct periodic audits of covered entities and Business Associates to ensure compliance with HIPAA and ARRA requirement.  The Secretary is also authorized to utilize civil enforcement provisions even if the action in question violated the criminal provisions, provided no criminal conviction is associated with the conduct.

The Secretary is required to impose civil penalties if a violation is due to willful neglect and to formally investigate any complaint if a preliminary investigation indicates the potential of violation due to willful neglect.  For cases involving violations where the individual did not know of the violation or where the individual would not have known of the violation by exercising reasonable diligence, corrective action rather than penalty may still be used.

Under ARRA, criminal enforcement for certain HIPAA violations is not limited to covered entities.  For purposes of criminal enforcement provisions, ARRA provides that “a person (including an employee or other individual)” is considered to have obtained or disclosed individually identifiable health information in violation of HIPAA if such information is maintained by a covered entity and the individual obtained or disclosed such information without authorization.

The Office for Civil Rights will receive any civil monetary penalties (CMPs) or settlements related to HIPAA security-related offenses.  Such funds will be used to fund the further enforcement of ARRA and HIPAA rules and requirements.
States’ Attorney General may bring a civil action under ARRA on behalf of state residents who have been or are threatened to be harmed by a violation to obtain injunctive relief or damages, as well as attorney fees.  Notice must be given to the Secretary and the Secretary is permitted to intervene.  The States’ Attorney General may not bring an action if a federal action by the Secretary is already pending.  These provisions only apply to violations that occur after February 17, 2009 (the date of enactment).

The Comptroller General must submit a report to the Secretary within 18 months of ARRA’s enactment that provides recommendations for determining a reasonable methodology for calculating an appropriate percentage of CMPs or settlements for individuals who have been harmed by a violation of HIPAA or ARRA.  The Secretary is required to issue regulations based on the Comptroller General’s recommendations within 3 years of ARRA’s enactment.

Q&A Health Insurance Portability and Accountability Act of 1996 (HIPAA)

October 28, 2008

May employer charge an employee more of a premium if he or she uses its health plan more than other employees?

No.  A health plan is not allowed to establish eligibility rules that discriminate on the basis of a health factor as provided in  Treasury Regulations  Section  54.9802-1(b)(1)(i), Labor Regulations Section  2590.702(b)(1)(i)and  Health and Human Services Regulations Section  146.121(b)(1)(i).

Under Code Section 9802(a)(1), ERISA Section 702(a)(1), and PHSA Section 2702(a)(1), the following factors are considered health factors:

  • health status;
  • medical condition (including both physical and mental illnesses);
  • claims experience;
  • receipt of health care;
  • medical history;
  • genetic information;
  • evidence of insurability (EOI) (including conditions arising out of acts of domestic violence); and
  • disability.

Under what situations may an employer offer a discount or impose a surcharge on premiums to employees?

Under Treasury Regulations Section 54.9802-1(f)(2), Labor Regulations Section  2590.702(f)(2) and Health and Human Services Regulations Section  146.121(f)(2), wellness programs that condition eligibility for a reward upon a participant’s ability to meet a standard that is related to a health factor are permissible only if they meet satisfy each of the following five requirements:

  • reward must be no more than 20% of the cost of coverage,
  • The program must be designed to promote health or prevent disease,
  • The program must give individuals an opportunity to qualify for the reward at least once a year,
  • The reward must be available to all similarly situated individuals, and
  • The plan must disclose that alternative standards (or waiver) are available

Can an employer offer any other wellness programs to employees?

Under Treasury Regulations Section 54.9802-1(f)(1), Labor Regulations Section 2590.702(f)(1), Health and Human Services Regulations Section 146.121(f)(1)., Wellness programs that do not condition eligibility for a reward upon a participant’s ability to meet a health standard (which we refer to as “participation-only programs”) are permissible if participation in the programs is available to all similarly situated individuals.

Examples of such programs include:

  • incentives to participate in a health fair or testing (regardless of outcome),
  • waiver of co-payment/deductible for well-baby visits,
  • reimbursement of health club membership,
  • reimbursements for smoking cessation programs (regardless of outcome), and
  • a program that rewards employees for attending a monthly health education seminar.

Are any wellness benefits offered to employees taxable?

Yes, if the benefit does not qualify either as an “eligible medical expense” under Code Section 213(d) or a “fringe benefit” under Code Section 132.