* UPDATE: SEPTEMBER 2013 *
With new regulations taking effect, update your HIPAA privacy policies ASAP
Remember the sweeping HIPAA reforms enacted in 2009 as part of the economic stimulus legislation? Yeah, neither did we. However, the U.S. Department of Health and Human Services (HHS) hasn’t forgotten. It has issued final regulations for implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The regulations require entities covered by HIPAA—including employer-provided health plans—to update their privacy policies ASAP. The deadline: Sept. 23, 2013. HIPAA is the Health Insurance Portability and Accountability Act of 1996, which governs almost all employer-provided health insurance plans. It also sets the national standards for electronic health care transactions—the primary focus of the HITECH Act.
HITECH expanded security measures employers must take to ensure employee privacy and restricted how employers may use “protected health information,” including genetic information.
Most of the HITECH privacy regulations affect health care providers and insurance companies that store vast amounts of electronic patient data. However, many of the regs affect employers, too.
Example: Entities that handle health records must have a way to scrub medical data from digital photocopiers and other equipment that electronically stores information.
Advice: Consult your attorney to ensure your privacy policies comply with the new regulations. Read the final HITECH regs online.
Read background on HITECH below.
OCTOBER 2009 article
by Eric A. Mahler, Esq., Ogletree Deakins
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Feb. 17, 2009 as part of the American Recovery and Reinvestment Act of 2009, also known as the economic stimulus bill.
HITECH was designed to advance the use of health information technology, such as electronic health records.
Among other important aspects, the HITECH Act expands the scope and enforcement power of the Health Insurance Portability and Accountability Act (HIPAA), with greater penalties for noncompliance.
Privacy and security regulations
One of HIPAA’s primary purposes is to safeguard the confidentiality of patients’ health information. If you provide health insurance to your employees, it’s important to understand how HITECH affects HIPAA.
HIPAA previously required that “covered entities” enter into contracts or “business associate agreements” (BAAs) with noncovered entities if those transactions involved the exchange of protected health information (PHI).
For HR purposes, one of the most common types of covered entities are group health insurance carriers. Business associates include other companies that provide ancillary services, such as claims processing.
The BAAs required the entities working on behalf of providers and insurers to use appropriate safeguards for the PHI they receive from the covered entities. The BAAs also set forth permitted uses and disclosures for the PHI.
Prior to HITECH, business associates were not directly subject to either HIPAA or direct government enforcement action.
Under HITECH, business associates must now comply directly with the administrative safeguards, physical safeguards, policies and procedures and documentation requirements of HIPAA. Business associates also must comply with the HIPAA Privacy Rule provisions that would otherwise be applicable to them through BAAs and any changes to the privacy rules (whether or not those changes are covered by the BAAs).
Business associates can now be subject to enforcement by federal or state authorities for any failure to comply with HIPAA (as amended by HITECH).
If security is breached
In contrast to the previous version of HIPAA, covered entities must now notify individuals whose health information has been breached. Business associates must notify covered entities of any breaches; the covered entity must then notify the individual.
A two-part inquiry is applied to determine if notification is required:
- Does it qualify as a breach?
- Was the information protected by encrypted technology?
No notification to individuals is required if the breached information was covered by an encryption system approved by the U.S. Department of Health and Human Services (HHS). Those systems render the information “unusable, unreadable or indecipherable to unauthorized individuals,” using technologies or methods approved by HHS.
Notice must occur no later than 60 days after discovery of the breach—when at least one employee of the entity knows or should have known of the breach. Notice is also required to be provided to media outlets if the information of more than 500 individuals has been compromised. Notification must also be forwarded to HHS.
Author: Eric A. Mahler is an associate in the Bloomfield Hills, Mich., office of Ogletree, Deakins, Nash, Smoak & Stewart, P.C. His practice concentrates on labor and employment, advising clients on matters including collective bargaining, corporate downsizing, union-free campaigns, media communications regarding labor negotiations, disciplinary matters, grievance adjustment, contract administration and revising job descriptions.