Integrity Background Screening
  • Home
  • Background Check News
  • Contact Us!
  • Testimonials & Blog
  • Why Us?
    • About Integrity Background Screening, LLC
    • Compliance
21 May 2013

Be Prepared for HHS’ Enhanced Enforcement of HIPAA Rules-SHRM article

http://www.shrm.org/LegalIssues/FederalResources/Pages/HHS-Enhanced-Enforcement-HIPAA-Rules.aspx

5/16/2013 By Susan R. Heylman

NEW ORLEANS—Under the 2013 revisions to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules, employers must update their health information disclosure policies and retrain their employees to ensure compliance, said Timothy Stanton, an attorney in Ogletree Deakins’ Chicago office, and Timothy Verrall, an attorney in the firm’s Houston office, speaking to attendees at the firm’s 2013 Workplace Strategies seminar on May 9.

The Department of Health and Human Services (HHS) issued the new regulations on Jan. 25, 2013, to implement major changes mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as the Genetic Information Nondiscrimination Act (GINA).

New Requirements for Business Associates

Previously, HIPAA regulations generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains or transmits” personal health information (PHI).

“The key addition in this part of the regulation is to be found in the word ‘maintains,’ because any entity that ‘maintains’ PHI on behalf of a covered entity—even if no access to that information is required or expected—will be a business associate,” Stanton and Verrall said.

“This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions” and do not have business associate agreements (BAAs) with such vendors, they noted.

“If you give PHI to a vendor before a BAA is in place, you’re in violation of HIPAA, and if you’re a vendor, you can’t receive PHI without a compliant BAA in place,” they cautioned. There must be a compliant BAA in place first, they emphasized.

Another change Stanton and Verrall noted was that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. They advised plan sponsors to include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.

Presumption of PHI Breach Introduced

Under the previous rules, an impermissible use or disclosure of PHI—including electronic PHI—was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.

“This is a big change,” Stanton and Verrall said. “The only way to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised.”

To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors—at a minimum:

*The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification.

*The unauthorized person who used the PHI or to whom the disclosure was made.

*Whether the PHI was actually acquired or viewed.

*The extent to which the risk to PHI has been mitigated.

The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.

Action Advised for 2013

While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny, Stanton and Verrall said.

Accordingly, employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors, they advised. In addition, employers should review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted.

At the same time, it is equally important to train employees who have access to PHI on these updated policies and procedures, the attorneys said.

The final regulations take effect Sept. 23, 2013; the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on Jan. 1, 2013. The department also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Consequently, employers should ensure that their business agreements are appropriately tailored to their individual circumstances and business needs, Stanton and Verrall cautioned.

Susan R. Heylman, J.D., is a freelance legal writer and an editor based in the Washington, D.C., area.

Forbes names Nashville No. 2 on Best Jobs for 2013 list EEOC Guidance Gives Examples of Reasonable Accommodations-SHRM Article

Related Posts

Uncategorized

Background Screening-Behind The Scenes

Uncategorized

An Important Notice On Fair Credit Reporting Act Compliance For Employers

Uncategorized

Why Compliance In Background Screening Is Critical

Archives

  • July 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • October 2016
  • September 2016
  • March 2016
  • February 2016
  • January 2016
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • December 2012
  • October 2012
  • September 2012
  • August 2012

Recent Posts

  • Background Screening-Behind The Scenes
  • An Important Notice On Fair Credit Reporting Act Compliance For Employers
  • Why Compliance In Background Screening Is Critical
  • Commercial Construction Firm Enjoys Integrity Background Screening Services
  • Warm Welcome To The New Fairfield Inn In Metro Center
Integrity Background Screening
© Integrity Background Screening 2022