All covered entities and business associates will need to review their business associate agreements in light of the new final HIPAA regulations (see prior coverage here). The new rules are effective March 26, 2013, with a general compliance deadline of September 23, 2013. So what is the deadline for reviewing and updating a business associate agreement?

Transition Rule. Under a transition rule in the new regulations, covered entities and business associates (and business associates and their subcontractors) may continue to operate under certain existing agreements for up to one year beyond the general compliance date of September 23, 2013.

There are two conditions for this rule:

(1) Already in existence. A written business associate agreement must have been in existence on January 25, 2013 (the date the new final rule was released) and must satisfy the requirements of the prior HIPAA rule.

(2) Not renewed or modified. The business associate agreement must not be renewed or modified between March 26, 2013 and September 23, 2013.

If these conditions are satisfied, the agreement will be deemed to satisfy the new rules until the earlier of (i) the date the agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. In other words, if these conditions are met, covered entities and business associates will have until as late as September 22, 2014 to update their agreements to comply with the final rule.

Evergreen Agreements. This transition rule is available for agreements that automatically renew between March 26, 2013 and September 23,      Continue Reading...

The updated sample agreement is here. It reflects changes in the HIPAA privacy, security, and breach-notification rules made by the final omnibus regulation (prior coverage here).

The template is a helpful starting point for drafting and reviewing business associate agreements in light of the new rules. Although it does not purport to address all issues that might merit consideration in an agreement, health plans, brokers, TPAs, and other covered entities or business associates will want to be familiar with it, if for no other reason than it is likely to form the backbone of many standard BAA templates.

Reminder: The final omnibus rule is effective March 26, 2013, with a general compliance date of September 23, 2013. 

HHS has finally released its long-anticipated final “omnibus” regulation (here) addressing the 2009 HITECH Act changes and making other updates to the privacy, security, breach notification, and enforcement rules.

Foulston Siefkin’s health care practice has already posted an issue alert (here) providing an overview of the regulation.

Compliance Date. The advance copy of the regulation runs 563 pages, so there is a considerable detail to digest. Luckily, HHS gave us a little time to get our heads around it. The regulation is effective March 26, 2013, and covered entities and business associates are generally required to begin complying with the final rules by September 23, 2013.

Some Key Points. Here are a few key points to understand about the final rules:

1. Business associate agreements may require modification. Business associates are now directly liable for compliance with portions of the HIPAA privacy and security rules. This requirement and other HITECH Act changes will require review and possible modification of business associate agreements to ensure they are in compliance.

2. Notices of privacy practices will require attention. The final rule changes some of the information that is required to be provided in the notice of privacy practices and generally requires re-distribution of an updated notice.

3. The standard for breach notification has changed. Under current rules, a covered entity is required to provide notification of a breach of protected health information (PHI) only if there is a substantial risk of harm from the breach. That “harm” standard has been replaced. There is now a presumption      Continue Reading...

HHS has announced a Resolution Agreement (here) with a nonprofit hospice organization in Idaho, resolving its investigation of a HIPAA breach involving the theft of a laptop computer. Although much about this case is similar to others like it that HHS has settled in the past few months (see, for example, here), the noteworthy points in this case are the ways in which it differs.

Size of Breach. The breach in this case involved electronic protected health information of 441 individuals. That’s a lot of people, but it is the first case HHS has resolved involving a breach affecting fewer than 500 individuals. (Because the breach affected fewer than 500 individuals, it would not have been disclosed to HHS immediately, but rather would have been identified on a log as part of the annual breach-notification requirement.) 

The point: HHS takes these cases seriously, whether they involve thousands of individuals or just a few hundred. A breach will not stay below the governments radar just because there is no separate notification requirement.

Resolution Amount and Corrective Action Plan. The case was resolved for a resolution amount of $50,000 (compared to over $1M in other recent cases), and HHS demanded a relatively light corrective action plan. Why would HHS be more lenient here? Reading between the lines, the answer seems to be based on the covered entity’s voluntary efforts to correct its error and take steps to prevent similar problems from occurring in the future.

The Resolution Agreement indicates that once the covered      Continue Reading...

HHS continues to show it is serious about investigating and enforcing breaches of the HIPAA privacy and security rules. It recently announced a $1.5 million settlement with two non-profit medical service and research organizations in Massachusetts stemming from the theft of an unencrypted laptop that contained electronic PHI. The two organizations reported the theft to HHS, as required by the HITECH breach-notification rule.

In its news release, HHS had particularly stringent things to say about the covered entities' security practices.

• "[HHS's] investigation indicated that [the covered entities] failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices . . . ."
• "[HHS's] investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule."
• "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."

As in other recent cases, HHS entered into a resolution agreement with the covered entities that not only required payment of the $1.5 million "resolution amount," but also outlined the terms of a corrective action plan to be followed by the covered entities over the next three years.

A few takeaways:

1. This case happened to involve a medical provider and a research organization, but nothing about the outcome was unique to that status. Any covered entity -      Continue Reading...

The federal Department of Health and Human Services (HHS) recently announced that it has entered into a resolution agreement with the Alaska Department of Health and Social Services (which operates the Alaska Medicaid program) to settle potential violations of the HIPAA security rule.

The underlying facts are painfully simple. [read: Yes, this could happen to you.] A computer technician for the Alaska agency had a USB thumb drive stolen from the technician's car. The thumb drive potentially contained electronic protected health information about individuals covered through the Alaska Medicaid program. (There was no evidence that data on the drive had, in fact, been accessed.) The agency reported the potential breach to HHS, as required under the HITECH breach-notification rules. HHS began its investigation within three months after the notification.

To resolve this potential violation of the HIPAA security rule, the Alaska agency agreed to pay a "resolution amount" of $1.7 million and enter into a corrective-action plan that, among other things, allows HHS to closely monitor the agency's HIPAA compliance for the next three years.

Although a state Medicaid program operates on a much larger scale than a private employer's group health plan, this investigation and resolution agreement show that HHS will take HIPAA compliance by health plans just as seriously as compliance by health-care providers and other covered entities. It is imperative that health plans have proper privacy and security policies and procedures in effect and assess security risks. Those policies, procedures, and assessments must be periodically reviewed and updated to      Continue Reading...

The federal department of Health and Human Services (HHS) has released a comprehensive audit protocol that describes in detail the manner in which it will audit compliance by covered entities with the HIPAA privacy, security, and breach-notification rules. The protocol gives group health plans and other covered entities a useful (albeit thorough) checklist for evaluating their compliance with these rules and, if necessary, taking steps to shore up their records, policies, and procedures on issues HHS is sure to review in the event of an audit.

There are 165 separate audit points in the protocol, and not all of them will be relevant for every covered entity. But for group health plans, the following will be of particular interest:

• Organizational Requirements for Group Health Plans. "Inquire of management as to whether the plan documents restrict the use and disclosure of PHI by the plan sponsor. Obtain and review a sample of plan documents. Verify if the use and disclosure of PHI by the plan sponsor is restricted. Verify what information the sponsor does obtain and how it is used."
• Notice of Privacy Practices. "Obtain and review the notice of privacy practices and evaluate the content relative to the specified criteria given to individuals by the covered entity." And for group health plans specifically: "Obtain and review the formal or informal policies and procedures in place regarding the provision of the notice of privacy practices. For a selection of individuals, obtain and review the individuals' files for the past year to      Continue Reading...

A federal appeals court in Boston ruled late last week that a portion of the Defense of Marriage Act (DOMA) is unconstitutional because it violates the rights of same-sex couples who are validly married under Massachusetts law. At issue in the case was a provision of DOMA that says only opposite-sex spouses may be recognized as spouses for purposes of federal law.

This has important implications for employee-benefit plans because several provisions of federal law grant spouses special rights. For example, spouses have survivor rights under retirement plans, and spouses can receive tax-free coverage and have special-enrollment and COBRA rights under group health plans. Under DOMA, these rights do not apply to same-sex spouses, but that could change if DOMA is struck down.

The case does not disturb existing state statutes and constitutional provisions that prohibit the recognition of same-sex marriages. But difficult questions may arise if a same-sex couple that is validly married in one state seeks to enforce rights under federal law against an employer or employee-benefit plan in a state that does not recognize same-sex marriage.

Ultimately, this is an issue that will be addressed by the Supreme Court, and now that a federal appeals court has ruled, review by the Supreme Court could come as early as next year.