The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains Privacy and Security Rules. The Privacy Rule is intended to provide individual rights regarding protected health information (PHI). The Security Rule is intended to protect an individual’s electronic personal health information (ePHI) against “reasonably anticipated threats” to its confidentiality, integrity, and availability. The HITECH Act included a security breach notification rule which outlines when and how individuals must be notified when a breach of their PHI or ePHI has occurred.

The Privacy Rule requires covered entities to limit their use of an individual’s protected health information to the minimum necessary. While employers are not considered covered entities, the group health plans that are sponsored by employers are covered entities and do have compliance requirements. The level and responsibility for compliance depends on whether PHI is provided by the group health plan to the employer or not.

Employee benefit brokers and consultants may also have compliance requirements as a business associate of group health plans. When a benefits broker handles a group health plan’s PHI, it is required to protect it in the same manner as a covered entity. As a business associate of the insurance carriers and some self-insured client plans, Keller Benefit Services is fully compliant with HIPAA.

Key Definitions

Protected Health Information (PHI) is individually identifiable health information that is transmitted or maintained in any form or medium and relates to the past, present, or future physical or mental health condition of an identified individual. Employment records and eligibility information are not considered PHI.

Electronic Protected Health Information (ePHI) is PHI that is created, received, maintained, or transmitted electronically by a covered entity.

Covered entities are health care providers that transmit PHI electronically, clearinghouses, and health plans. Health plans with less than 50 eligible participants that are self-insured and administered in house by an employer, such as a health care FSA, are exempt from compliance.

Business associates including third party administrators (TPAs), attorneys, broker/consultants, and other entities that work with a covered entity. Business associates are required to protect any PHI received from the covered entity in the same manner as required by a covered entity. Prior to disclosing any PHI, covered entities must obtain assurance by written agreement that the business associate will properly safeguard the information.

Permitted disclosures of PHI include disclosure to the affected individual and disclosure for treatment, payment, and specified health care operations.

An individual may provide written authorization to disclose his/her own PHI. Please note that written authorization will be required by insurance carriers or medical providers in order for employers or Keller to assist employees with claim problems or specific medical coverage issues.

Employer Privacy Rule Compliance

Fully-Insured Group Health Plans

Most fully-insured and HMO plans are rarely given PHI by the insurer or HMO. The employer will typically have limited compliance issues and does not have to implement the policies and procedures outlined below, but must still comply with standards for refraining from intimidating or retaliatory acts.

Self-Insured Group Health Plans

Self-insured plans, including health care FSAs, and some larger insured plans typically receive PHI. The following basic actions are required by the employer:

  1. Establish privacy practices that outline the permitted and required uses and disclosures of the information by the plan sponsor/employer and update plan documents accordingly.
  2. Provide employees with a Notice of Privacy Practices that describes how medical information about an individual may be used and disclosed and how the individual may access such information.
  3. Designate a privacy official.
  4. Designate and train personnel how to handle PHI with respect to the established privacy practices.
  5. Design and implement administrative, technical, and physical safeguards to protect PHI in accordance with the 18 established standards.
  6. Establish sanctions that will apply against employees who fail to comply with the privacy practices.
  7. Refrain from intimidating or retaliatory acts against individuals for exercising his/her rights under privacy rules.

Employer Security Rule Compliance

Similar to the Privacy Rule, employers that sponsor fully-insured plans have less of a compliance burden, especially since most insured plans do not receive PHI or ePHI. All plan sponsors need to take at least the first step of the Security Rule. Self-insured health plans, including health care FSAs, and larger fully-insured plans are more likely to have ePHI and therefore must take all of the following steps to comply with the Security Rule:

  1. Identify if there is any ePHI from the group health plan in the employer’s computer systems.
  2. Designate a security official (may be the same person as your privacy official).
  3. Perform a risk analysis to identify potential threats against the confidentiality, availability, and integrity of the ePHI.
  4. Design and document security policies and procedures incorporating the required 18 security standards for the administrative, physical, and technical safeguards.

The Security Rule is designed to be technology neutral and flexible so that covered entities will be able to devise safeguards that can work within their existing system capabilities. In addition, compliance is intended to be scalable, which means a company’s compliance strategy will vary by size of organization, resources available, costs of security measures, and the probability and criticality of risks to any ePHI.

After consultation with your IT department, you may find that your systems and procedures for your plans are security compliant, and your only requirements at this time may be documenting processes and/or amending existing policies and procedures.

Breach Notification Rule

The HITECT Act includes the Breach Notification Rule, which outlines notification procedures for covered entities that experience a breach of PHI that is in violation of the Privacy Rule. A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the information. In order for a breach to occur, the PHI must be “unsecure” and pose a “significant risk of financial, reputational, or other harm” to the affected individuals.

Unsecure PHI means one of the following:

  • ePHI that is not encrypted according to specific standards adopted by the National Institutes of Standards and Technology (“NIST”) as outlined in the HIPAA Security Rule. If covered entities opt to encrypt ePHI according to the NIST standards and a breach occurs, the notification rules will not apply. However, if covered entities use an alternate method to secure ePHI, such as firewalls, and a breach occurs, the notification rules apply.
  • PHI that is not completely destroyed. PHI on electronic media should be cleared, purged, or destroyed consistent with NIST “Guidelines for Media Sanitization.” PHI on hard copy (paper or film) must be shredded or destroyed so that it cannot be reconstructed.

There are three exceptions in which case there is no security breach and therefore no notification is required:

  • Unintentional acquisition, access, or use by a covered entity’s employee.
  • Inadvertent disclosure from one authorized employee to another authorized employee at a covered entity.
  • An individual would not reasonably have been able to retain the information.

If the covered entity determines that a breach of unsecured PHI has occurred and none of the exceptions addressed above apply, the covered entity needs to:

  • Notify the affected individual within 60 days after the discovery of the breach.
  • If less than 500 individuals are affected by the breach, the covered entity must maintain a log of breaches and submit to HHS on an annual basis.
  • If more than 500 individuals are affected, HHS must also be notified. In addition, if more than 500 residents of a state are affected, a “prominent media outlet” must also be notified.

All of the security breach rules that apply to covered entities apply to their business associates as well. Business associates are required to notify the covered entity of any security breaches.