Back in February of 2009, many of us were somewhat taken aback to find HIPAA amendments in the economic stimulus bill. After months of delay, proposed regulations implementing these amendments – commonly known as the HITECH amendments – have finally arrived, and they contain a few surprises! Here's a quick summary of some key provisions that will impact employer-sponsored health plans.
Business Associate Agreements
Some had hoped that business associate agreements would no longer be necessary now that business associates are directly subject to penalties under HIPAA. Not so. The regulations continue to require them. Moreover, the agreements will have to be amended. Changes include:
Business associates must now comply with the full set of HIPAA security regulations (and not just the provisions specifically identified in the HITECH amendments).
The proposed regulations do away with prior tattle-tale provisions that seemed to require covered entities to report violations by business associates to the Department of Health and Human Services (and possibly a reciprocal duty for business associates to report violations by health plan sponsors).
Business associates will now also have a duty to terminate relationships with downstream contractors and agents who violate HIPAA – and these downstream contractors will now also be subject to penalties for such violations.
Even if you've already updated business associate agreements to reflect the HITECH amendments, some of these new provisions will require another round of amendments. The good news is that you will have 18 months to do so once the final regulations are issued.
Notice of Privacy Practices
Although the HITECH amendments seemed to require only a minor change to the Notice of Privacy Practices, the proposed regulations require even more changes:
- Notices will now have to describe situations that require an authorization. This includes use or disclosure of psychotherapy notes, use or disclosure for marketing purposes and the sale of protected health information.
- If the health plan is getting compensated for communicating certain information, the notices will have to say so and describe the individual's right to opt out of receiving such communications.
The final regulations may still require additional new disclosures, as the Department of Health and Human Services is seeking feedback on whether the notice should say anything about security breaches. The Department is also considering whether to change rules regarding the distribution of amended notices. Current rules say they must be distributed within 60 days of the amendment.
Access to Electronic Records
The HIPAA privacy rules have always included a right for individuals to access their health records, but the proposed regulations implement new HITECH requirements relating to electronic records:
- If the health plan (or its business associate) maintains records in an electronic database, the health plan must produce these records in an electronic format requested by the individual, if it can be easily accommodated, and if not, then in a format agreed to between the individual and the health plan.
- Individuals have the right to designate a third party to receive paper or electronic versions of their documents, but must clearly identify the designated recipient in a written and signed request. Electronic requests and signatures may be acceptable, but health plans will need to take reasonable steps to verify the identity of the person making the request.
- The health plan may charge for the labor involved in reviewing the request and producing the electronic copy, but may not charge a document "retrieval fee" that does not reflect the actual cost relating to the request. If the individual asks for the electronic documents to be stored on electronic media (such as a USB flash drive or CD), the proposed regulations will allow recovery of the actual cost of the media, as well as actual shipping costs, per the individual's instructions.
As a practical matter, most health plan records are in the hands of business associates and insurers, but employers may have enrollment records and claims appeal files that are subject to these new requirements.
The Next Steps
At present, these new changes are only proposals. It's possible that the final regulations will change. Thus, you shouldn't make any changes quite yet. If you have any opinions on these proposed changes, the Department of Health and Human Services is taking comments until September 13, 2010.
If you have any questions about the proposed regulations or on how to submit comments, please contact a member of the Warner Employee Benefits Practice Group.