Health insurance portability and privacy — Minnesota

The Health Insurance Portability and Accountability Act (HIPAA) has a significant impact on medical coverage provided by employer-sponsored group health plans. Among other provisions, HIPAA:

• requires a group health plan to limit exclusions based upon preexisting conditions
• prohibits group health plans from denying coverage to individuals or charging higher premiums based on health status
• guarantees renewability of coverage to certain individuals
• requires a group health plan to provide for the privacy and security of plan participants’ private health information.

Employers that violate HIPAA’s portability, privacy, or security provisions may face fines and/or lawsuits for failing to meet these requirements. Additionally, HIPAA imposes notification requirements should a plan sponsor become aware that certain health information has been improperly disclosed or accessed.

The original HIPAA Privacy and Security Rules focused on health care providers, health plans, and other entities that process health insurance claims. In January of 2013, the Department of Health and Human Services (HHS) published new regulations expanding many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Potential penalties for noncompliance are based on the level of negligence with a maximum penalty of nearly $1.8 million per violation. The revised regulations also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.

For purposes of HIPAA’s requirements, health insurance coverage means benefits for medical care under any hospital or medical service policy or certificate, hospital or medical service plan contract, or HMO contract offered by a health insurance issuer. It does not, however, include certain “excepted benefits” such as:

• accident-only coverage
• disability income insurance
• liability insurance, including general liability insurance and automobile liability insurance
• workers’ compensation or similar insurance
• automobile medical payment insurance
• credit-only insurance (for example, mortgage insurance)
• coverage for on-site medical clinics.

Certain limited scope dental and vision benefits or long-term care benefits are also excepted benefits if they are provided under a separate policy, certificate, or contract of insurance, or are otherwise not an integral part of the plan.

HIPAA requirements also generally do not apply to governmental plans that elect to opt out of HIPAA’s portability requirements or to a group health plan for any year in which the plan has only one employee-participant on the first day of the plan year. There is no opting out, however, under HIPAA’s medical privacy and electronic security rules.

Employee protections 

HIPAA provides protection to individuals who are changing jobs and/or health coverage by restricting the ability of the new group health plan to limit coverage for prior medical conditions or other health status factors.

Limitations on imposing preexisting condition exclusions

Under the Affordable Care Act, signed into law in 2010, preexisting condition exclusions for individuals of all ages are prohibited beginning January 1, 2014. However, some older group plans may be considered “grandfathered” into the old rules and may be permitted to exclude preexisting conditions according to HIPAA for at least one additional year. Under HIPAA, a group health plan (or a health insurance issuer offering group health insurance coverage) may impose such exclusion only if the following requirements are met:

• Six-month look-back rule - A preexisting condition exclusion (PCE) may be imposed only for a preexisting condition, which is defined as a medical condition for which medical advice, diagnosis, care, or treatment was recommended or received within the six-month period prior to the enrollment date.
  Medical care or treatment includes taking a prescribed drug during the look-back period, even if prescribed more than six months before the enrollment date.
• Twelve-month look-forward rule - The group health plan may not limit or exclude benefits for a preexisting condition for any more than the 12-month period after the enrollment date. If the employer imposes a “waiting period” of employment before an individual is eligible to enroll, the 12-month period begins on the first day of the waiting period.
  There is an exception to this limitation for individuals who do not enroll in the plan when they are first eligible to enroll or during a special enrollment period (as discussed herein). These individuals are considered to be “late enrollees” and the plan may impose its PCE for up to 18 months with respect to late enrollees.
• Prohibition on preexisting condition exclusions for children - Effective for plan years beginning on or after September 23, 2010, group health plans may not deny coverage to children younger than age 19 based on pre-existing conditions. This prohibition includes both benefit limitations (for example, a health plan refusing to pay for chemotherapy for a child with cancer because the child had the cancer before getting insurance) and outright coverage denials (for example, the health plan refusing to offer a policy to the family for the child because of the child’s preexisting medical condition). Under the Affordable Care Act passed in 2010, a similar restriction on excluding preexisting conditions will apply to all plan participants for plan years beginning on or after January 1, 2014, but some plans may be considered grandfathered into the old rules and permitted to exclude preexisting conditions for adults for an additional year. The health care reform law also prohibits lifetime limits on benefits and by 2014 end annual limits on coverage.
• Reduction of exclusion period by creditable coverage - Finally, the period of the PCE must be reduced to the extent the individual has prior creditable coverage under another plan. However, prior periods of creditable coverage generally do not count toward reducing the PCE period if the individual experienced a break in coverage of 63 days or more. Any time spent without coverage due to an employer-imposed “waiting period” does not count towards the 63-day gap. A group health plan cannot impose any PCE relating to pregnancy as a preexisting condition. Also, a group health plan’s PCE may not apply to a newborn or adopted child if that child has creditable coverage on at least one day within the 30-day period following a birth, adoption, or placement for adoption, and the child is subsequently enrolled in the group health plan without a significant break in coverage. Also, genetic information alone, without diagnosis of a specific related condition, cannot be treated as a preexisting condition.

Notice requirements

In order to impose a PCE, a group health plan must provide, as part of its enrollment materials, a written notice explaining the existence, length, and terms of the PCE. The notice must explain that creditable coverage will reduce the length of the PCE, that the individual has the right to demonstrate creditable coverage, and that the individual has the right to request a certificate of creditable coverage from the prior plan. The notice must also state that the current plan will assist in obtaining the certificate, if necessary. The notice must include a contact person (with telephone number or address) for assistance or additional information in obtaining a certificate.

Creditable coverage

In general, creditable coverage means health coverage provided to an individual under programs such as:

• a group health plan
• another group or individual health insurance policy
• Medicare or Medicaid
• Chapter 55 of Title 10 of the United States Code (medical coverage for members of the uniformed services)
• a public health plan (as defined in regulations)
• State Children’s Health Insurance Program.

A period of creditable coverage is not counted if there is a break in coverage of at least 63 days (other than any applicable waiting period) between the end of the creditable coverage period and the participant’s or beneficiary’s enrollment date under the new creditable coverage.

Calculation of periods of creditable coverage

A group health plan may count periods of creditable coverage without regard to the specific benefits provided under such coverage. Alternatively, the group health plan may count the periods of creditable coverage for certain types of benefits (such as mental health, prescription drugs, or dental care).

Certificates of creditable coverage

In general, an individual proves prior creditable coverage by presenting to a new group health plan a certificate of creditable coverage from the old plan. 

A group health plan must furnish a plan participant, without charge, with a certificate of coverage in the form on each of the following occasions:

• Automatically, at the time a plan participant ceases to be covered under the plan (or would cease to be covered if not for continuation coverage under COBRA or applicable state law). The certificate generally must be provided to the participant at a time consistent with notices required under COBRA. For a participant not entitled to elect COBRA coverage, the certificate must be provided within a reasonable period of time after coverage ends. The group health plan must also provide a certificate automatically to any qualified beneficiary at the end of the COBRA coverage period.
• Additionally, a certificate must be provided to a plan participant upon request within 24 months of the loss of coverage.

The summary plan description provided to plan participants and beneficiaries must include an explanation of the procedures to be followed to obtain a certificate.

Self-insured group health plans bear the responsibility for providing the certificates. If the plan is a fully-insured group health plan, the health insurer will normally fulfill these obligations. However, the plan sponsor must verify with the health insurer that the certificates are being provided as required.

Form and content of the certificate

The certificate of creditable coverage must be in written form and contain specific information. A copy of the model certificate published by the Department of Labor is attached at the top of this chapter, available for download. 

No written certificate is required if:

• the individual requests that the certificate be sent to another plan or issuer instead of the individual
• the plan or issuer that would otherwise receive the certificate agrees to accept the information through means other than a written certificate (that is, by telephone)
• the receiving plan or issuer receives such information from the sending plan or issuer in such form within the required time period.

Rules related to certification

• A plan may provide a single certificate for a participant and the participant’s dependents, if the period of coverage is identical for each individual. However, if plan coverage information is different for each family member, such information must be separated on the certificate with each set of information clearly indicated for the applicable family members.
• The certificate must be sent by first-class mail to the participant’s last known address. If a dependent’s last known address is different from the participant’s last known address, a separate certificate must be mailed to the dependent’s last known address.
• If the individual entitled to receive a certificate designates another individual or entity to receive the certificate, the certificate may be provided to that designated individual or entity.

Demonstrating creditable coverage through other means

If the accuracy of a certificate is in question or a certificate of creditable coverage is not available, an individual may demonstrate creditable coverage (and any waiting periods) through the presentation of documents or other means. The plan may not consider an individual’s inability to obtain a certificate to be evidence of the absence of creditable coverage. Documents that may establish creditable coverage in the absence of a certificate include:

• explanations of benefit claims
• pay stubs showing payroll deduction for health coverage
• a health insurance identification card
• records from medical care providers indicating health coverage.

The plan must take into account all information that it receives on behalf of an individual. The plan must make a determination, based upon the relevant facts and circumstances, whether the individual has creditable coverage and is entitled to offset all or a portion of any PCE period.

A plan shall treat the individual as having furnished a certificate if the individual:

• attests to the period of creditable coverage
• presents relevant supporting evidence of some creditable coverage during the period
• cooperates with the plan’s efforts to verify the individual’s coverage. (Cooperating with the plan includes, among other things, providing a written authorization for the plan to request a certificate on the individual’s behalf.)

Notification of preexisting condition exclusion periods

A plan seeking to impose a PCE is required to disclose to the individual, in writing, its determination of any PCE period that applies to the individual as well as the basis for such determination (including the source and substance of any information on which the plan relied). In addition, the plan is required to provide the individual with a written explanation of any appeal procedures established by the plan and with a reasonable opportunity to submit additional evidence of creditable coverage.

Special enrollment periods

As a general rule, a group health plan can limit the times when an individual can enroll in the plan. However, HIPAA requires group health plans to establish special enrollment periods in certain circumstances. As noted previously, an individual who enrolls for coverage in a group health plan after the first period in which the individual is eligible to enroll generally can be subject to an 18-month PCE as a “late enrollee.” However, any individual who enrolls in a group health plan during one of the special enrollment periods set forth herein is not considered a “late enrollee” and is, therefore, subject only to a 12-month PCE period.

Individuals losing other coverage

A group health plan must permit an eligible employee and/or dependent to enroll for coverage under the plan if each of the following conditions is met:

• The employee or dependent was covered by a group health plan or had other health insurance when the coverage was previously offered.
• The employee stated in writing at such time that enrollment was declined because of coverage under another group health plan or other health insurance coverage (if the plan sponsor required such a statement and provided notice of such requirement).
• The previous coverage:
  • was COBRA coverage that has now been exhausted
  • was not COBRA coverage but was terminated as a result of loss of eligibility for such coverage or because employer contributions toward such coverage were terminated
  • loss of eligibility does not include loss of coverage for failure of the employee to pay premiums or termination of coverage for cause (filing fraudulent claims under the plan, intentional misrepresentation of facts related to coverage, etc.). However, an individual reaching a lifetime maximum limit on benefits is a loss of eligibility that may trigger special enrollment.
• The employee or eligible dependent requests to be enrolled in the new coverage no later than 30 days after the prior coverage ceases (for example, the special enrollment period).

Acquiring new dependents

HIPAA also requires a group health plan to permit a special enrollment period when an employee acquires a new dependent through marriage, birth, or adoption. In general, if an eligible individual gains a dependent through marriage, birth, adoption, or placement for adoption, the group health plan must permit the individual, the new spouse, and any new dependent to enroll in the plan. The individual must notify the plan of the special enrollment event within 30 days in order to be eligible for special enrollment. Coverage becomes effective on the following dates:

• in the case of marriage, not later than the first day of the first month beginning after the date the completed request for enrollment is received
• in the case of a dependent’s birth, as of the date of such birth
• in the case of a dependent’s adoption, or placement for adoption, the date of such adoption, or placement for adoption.

Notice of special enrollment rights

On or before the time an employee is offered the opportunity to enroll in a group health plan, the plan is required to provide the employee with a description of the HIPAA special enrollment rules. Language for a sample notice has been provided by the Department of Labor and can be seen in the files tab at the top of the page.

Prohibition against discrimination based on health status

Eligibility for coverage

A group health plan cannot establish eligibility rules that discriminate against any individual with respect to coverage or continued coverage or premium amounts based on any of the following factors:

• health status
• medical condition (including both physical and mental illness)
• claims experience
• receipt of health care
• medical history
• genetic information
• evidence of insurability (including evidence of claims arising from acts of domestic violence)
• disability of the enrollee or the enrollee's dependents.

These requirements, however, do not prevent a group health plan from limiting the amount, level, extent, or nature of the benefits provided as long as such limitations do not discriminate among similarly situated individuals. Thus, for example, a group health plan could choose not to cover experimental medical procedures or choose to limit the benefits for experimental medical procedures, provided this limitation applies equally to all similarly situated individuals.

Premiums

A group health plan cannot require an individual to pay a higher premium on the basis of any health-related factor that may apply to the individual. However, the plan may charge different premiums for different classes of employees (such as full-time and part-time employees), as long as the different classes are based on bona fide distinctions not related to health factors.

A group health plan may offer premium discounts, rebates, and adjustments to deductibles or co-payments in exchange for adherence to bona fide wellness programs, including health promotion and disease prevention programs such as weight loss or smoking cessation programs. If these incentives are contingent on particular results (such as specified blood pressure levels, refraining from smoking, etc.), then a number of restrictions apply.

Penalties for noncompliance

In addition to possible exposure to a participant lawsuit, HIPAA imposes a tax on group health plans that fail to meet the requirements of the law.

Amount of the tax

An employer whose group health plan fails to meet the requirements (or the plan, in the case of a multiple employer plan) faces a penalty tax of $119 for each day of the non-compliance period for each affected individual. The non-compliance period begins on the date the failure occurs and ends on the date of correction.

Limitations on amount of the tax

• No tax is imposed during any period if the IRS determines that the employer or insurer was not aware that the health plan was not in compliance and could not have discovered the non-compliance by the exercise of reasonable diligence.
• No tax is imposed if the failure is due to reasonable cause and is corrected within 30 days of the date it is (or should have been) discovered.
• For unintentional failures, the tax is capped at the lesser of $500,000 or 10% of the amount paid or incurred by the employer during the preceding tax year for group health plans (or for multiple employer plans, the lesser of $500,000 or 10% of the amount paid by the trust to provide medical care during such taxable year).
• In the case of a group health plan of a small employer (an employer that employs an average of more than two but fewer than 50 employees) that provides health insurance coverage solely through a contract with a health insurance issuer, no tax shall be imposed on the employer on any failure that is solely because of the health insurance coverage offered by such insurer.
• The IRS has the discretion to reduce the amount of a tax penalty if it finds the penalty to be excessive in relation to the failure and if the failure is due to reasonable cause, and not willful neglect.

Keeping health information private

In addition to the regulation of health insurance portability and non-discrimination rules, HIPAA also provides for the protection of participants’ medical records and other individually identifiable health information that is created, received, or maintained by the group health plan or certain other entities (PHI). In general, the rules below will apply only to records held in connection with a group health benefits plan or some on-site medical clinics, and not to records held by the employer itself (for example, for absence management policies). However, because such information can be sensitive regardless of where it is held, appropriate safeguards should be applied to all medical information.

The privacy regulations under HIPAA (Privacy Rule), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, including the final regulations which went into effect on March 23, 2013, require the following information.

Limits on use of personal medical information

The Privacy Rule is a federal provision that requires a comprehensive approach to ensuring that the privacy of PHI is balanced with the public’s responsibility to support medical research, public health and quality of care. The Privacy Rule sets limits on how a group health plan may use PHI. Under the Privacy Rule, a group health plan is generally prohibited from using and disclosing PHI without first obtaining the authorization of the participant. However, to ensure that the group health plan’s activities are not unduly hampered, activities for treatment, payment and healthcare operations (TPO Activities) are exempted from certain aspects of the Privacy Rule. For purposes of the Privacy Rule, TPO Activities are defined as the following:

• Treatment - Coordinating and managing health care with a third party, consulting between health care providers regarding a patient, and referring a patient to another health care provider to receive care.
• Payment - Activities of a group health plan to obtain premiums, fulfill its coverage responsibilities, provide benefits, and obtain or provide reimbursement for the provision of health care.
• Health care operations - Quality assurance, case management, professional review, health insurance contracting, compliance and review, management and administration, business planning and development, and changes of legal ownership.

A group health plan does not need to obtain the participant’s authorization prior to the use of  PHI for TPO Activities, but may use or share only the minimum amount of PHI necessary for a particular purpose. In most other situations, the plan cannot use or disclose PHI unless the plan participant signs a specific authorization permitting the use or disclosure.

Access to medical records

Plan participants generally have the right to see and obtain copies of their medical and claim records and request corrections if they identify errors and mistakes. However, participants may be denied access to certain types of information in limited circumstances. If the participant has the right to obtain copies of the participant's medical and claim records, access to these records must generally be provided within 30 days and the group health plan may reasonably charge plan participants for the cost of copying and sending the records. If the participant identifies errors and requests the records be changed, the plan must comply with the request within 60 days.

Notice of privacy practices

A group health plan must provide a notice to its plan participants at the times of their enrollment and then at least every three years thereafter explaining how the plan intends to use their PHI, as well as explaining the participants’ rights under the Privacy Rule. Plan participants also have the right to ask their group health plan to restrict the use or disclosure of their PHI beyond the practices included in the notice, but the group health plan is not required to comply with such requests.

Confidential communications

Under the Privacy Rule, a plan participant must be permitted to request receipt of confidential communications of the participant's PHI by alternative means or at alternative locations if the individual states that the disclosure of the information could endanger the individual. A group health plan must accommodate all reasonable requests for confidentiality.

Public responsibilities

In limited circumstances, the Privacy Rule permits (but does not require) a group health plan to disclose limited amounts of PHI for specific public responsibilities.

Some of the permitted disclosures include:

• emergency circumstances
• information concerning victims of abuse, neglect, or domestic violence
• identification of the body of a deceased person or the cause of death
• public health purposes
• judicial and administrative proceedings
• limited information for identification and location purposes related to law enforcement activities
• activities related to national defense and security
• certain research activities.

Complaints

Plan participants may file formal complaints regarding the privacy practices of a group health plan. Such complaints can be submitted to the health plan’s Privacy Officer or filed with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which has the authority to receive and investigate complaints and enforce the Privacy Rule. Plan participants are required to file such complaints with the OCR in writing within 180 days of when they knew that the act or omission complained of occurred. The group health plan may not retaliate against a plan participant for submitting a complaint or exercising any rights provided by the Privacy Rule.

Written privacy procedures

The Privacy Rule requires that a group health plan maintain written privacy procedures, including a description of the members of the group health plan’s workforce that have access to PHI, how PHI will be used, and when PHI may be disclosed. A group health plan must implement policies and procedures with respect to PHI that are designed to comply with the Privacy Rule. The group health plan’s policies and procedures must take into account the size of the group health plan and the types of activities in which the group health plan engages. The group health plan must also ensure that its policies and procedures are revised regularly to reflect changes in the law and in the plan’s privacy practices.

Employee training and privacy officer

A group health plan is required to designate an individual as the privacy official who will be responsible for developing and implementing the privacy policies and procedures for the group health plan. The privacy officer, or some other designated contact person, is also responsible for receiving complaints from plan participants and beneficiaries, as well as providing further information regarding the group health plan’s notice of privacy practices. In addition to designating a privacy officer, a group health plan must provide adequate training of its employees in the plan’s privacy policies and procedures. For newly hired members of the plan’s workforce, training must be completed within a reasonable time period after hiring.

Adequate separation

A group health plan must ensure that its plan documents provide for adequate separation between the group health plan and the plan sponsor. Specifically, the plan documents must identify the members of the group health plan’s workforce (either by name or class) who may receive access to PHI, including the workforce members who receive PHI for TPO Activities, or for other matters relating to the group health plan in the ordinary course of business included in the description of the plan. Additionally, the workforce members’ access to PHI must be restricted to the plan administration functions performed for the plans by their plan sponsors. Finally, the plan documents must provide for the means to resolve any issues arising from workforce members’ (who have access to PHI) non-compliance with the plan’s policies and procedures or non-compliance with the Privacy Rule.

Breach notification

“Unsecured PHI” is protected health information in any medium that has not been protected by a technology or methodology that has met government approval (for example, encryption). A covered entity (including a health plan and, by extension, the plan sponsor) is required to notify affected parties in the event of a “breach” of unsecured PHI, which includes most unauthorized access, disclosure, release, or use of such information. Certain good-faith disclosures are excepted from this rule (for example, an inadvertent disclosure to another individual within the “HIPAA firewall” of the health plan). Additionally, disclosures where the unauthorized recipient would have no reasonable means of retaining or recording the PHI are excepted from these requirements.

In the event of a covered disclosure of unsecured PHI, the health plan must notify each affected individual of the breach.  Additionally, if the breach is reasonably expected to have affected more than 500 individuals, local media outlets must be notified. In general, the notification must be provided via first-class mail no later than 60 days after the first date the breach was discovered. The notice must include the following items:

• a brief description of the breach and the date on which it occurred
• a description of the PHI that was involved in the breach such as names, birth dates, social security numbers, account numbers, and health related information (diagnosis, prescribed medications).
• steps that affected individuals should take to protect themselves
• contact information to obtain additional information about the breach
• a summary of any internal investigations or reviews of the breach, as well as any actions the plan has taken to mitigate the damage from the breach, and to protect against future breaches.

In addition, and to the extent applicable, the group health plan should also comply with state breach notification requirements applicable to a breach involving personal information, such as social security numbers or drivers' licenses that could be used to identify a plan participant.

Documentation

A group health plan must maintain all documentation (that is, policies, procedures, etc.) required by the Privacy Rule for a period of six years from the later of the date of its creation or the date when it last was in effect. Such documentation must be made available to the workforce members responsible for implementing the group health plan’s policies and procedures.

Exemption from the Privacy Rule requirements

A group health plan is not subject to the standards and implementation specifications of the Privacy Rule if health benefits are provided under the plan solely through an insurance contract with a health insurance issuer or an HMO and the group health plan does not create or receive PHI other than summary health information or enrollment information. A group health plan that meets this exception is still required to refrain from retaliatory, intimidating, or discriminating acts against individuals who exercise their privacy rights according to the Privacy Rule, and it is further prohibited from requiring or requesting waivers of an individual’s right to lodge a complaint with the Secretary of the HHS.

Penalties

A group health plan that fails to comply with the Privacy Rule is subject to a number of penalties. Civil penalties were greatly increased by regulations published in 2020.

A person who knowingly obtains or discloses PHI in violation of the Privacy Rule also faces up to one-year imprisonment. The criminal penalties increase to up to five years imprisonment and $100,000 if the wrongful conduct involves fraud, and up to 10 years imprisonment and $250,000 if the wrongful conduct involves the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm. Criminal sanctions are enforced by the Department of Justice. State Attorneys General may bring civil actions in federal district court on behalf of their residents for violations of the Privacy Rule.

The security of health information

HIPAA’s security regulations (Security Rule) require a group health plan to protect the confidentiality, integrity, and availability of PHI when it is stored, maintained, or transmitted electronically. A group health plan must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of individually-identifiable health information that is created, received, or maintained by the health plan electronically (Electronic PHI) against any reasonably anticipated risks.

Requirements of the security regulations

HIPAA requires the HHS to establish national standards for the security of Electronic PHI. The Security Rule specifies a series of administrative, technical, and physical security procedures for group health plans to utilize to assure the confidentiality of Electronic PHI. The Security Rule specifies standards that are delineated into either required or addressable implementation specifications.

The required specifications are critical and must be implemented. With respect to the addressable specifications, a group health plan must assess whether each implementation specification is a reasonable and appropriate safeguard by analyzing such specification’s likelihood of protecting Electronic PHI. 

If a group health plan decides that an addressable specification is applicable, it must:

• implement the specification as set forth in the security regulations if the specification is reasonable and appropriate
• implement an alternative security measure to accomplish the same purpose of the specification if the specification is not reasonable and appropriate but the overall standard can be met without implementing an alternative security measure
• not implement anything if the specification is not reasonable or appropriate and the standard can still be met. If the group health plan decides not to implement a standard, it must document its decision, the rationale behind such decision, and the alternative safeguard implemented to meet such standard.

Administrative safeguards

The Security Rule’s administrative safeguards require a group health plan to have documented policies and procedures for managing day-to-day operations, the conduct and access of workforce members to Electronic PHI, and the selection, development, and use of security controls.

The specific standards are as follows:

• Security management process - An overall requirement to implement and document policies and procedures to prevent, detect, contain, and correct security violations must be developed.
• Assigned security responsibility - A single individual must be designated as the plan’s security officer, who will have the overall responsibility for the security of a group health plan’s Electronic PHI.
• Workforce security - Policies, procedures, and processes must be developed and implemented to ensure that only properly-authorized workforce members have access to Electronic PHI.
• Information access management - Policies, procedures, and processes must be developed and implemented to ensure that only properly-authorized workforce members have access to Electronic PHI.
• Secuity awareness and training - A security awareness and training program for a group health plan’s entire workforce must be developed and implemented.
• Security incident procedures - Policies, procedures, and processes must be developed and implemented for reporting, responding to, and managing security incidents.
• Contingency plans - Policies, procedures, and processes must be developed and implemented for responding to a disaster or emergency that damages information systems containing electronic PHI.
• Evaluation - A group health plan must perform periodic technical and nontechnical evaluations that determine the extent to which its security policies, procedures, and processes meet the ongoing requirements of the Security Rule.
• Business associate contracts and other arrangements - Group health plans, as well as plan sponsors/employers must, when dealing with business associates that create, receive, maintain, or transmit Electronic PHI on the group health plan’s behalf, develop and implement contracts that ensure the business associate will appropriately safeguard the information.

Physical safeguards

The physical safeguards are a series of requirements meant to establish the minimum physical protections acceptable for ensuring data integrity, confidentiality, and availability, and to guard physical computer systems from fires, other natural and environmental disasters, and unauthorized access. A group health plan must limit and control physical access while permitting properly-authorized access. The specific standards are:

• Facility access controls - An overall requirement to implement policies, procedures, and processes that limit physical access to electronic information systems while ensuring that properly-authorized access is allowed.
• Workstation use - Policies and procedures must be developed and implemented that specify appropriate use of workstations and the characteristics of the physical environment of workstations that can access Electronic PHI.
• Workstation security - A group health plan must implement physical safeguards for all workstations that can access Electronic PHI in order to limit access to only authorized users.
• Device and media controls - Policies, procedures, and processes must be developed and implemented for the receipt and removal of hardware and electronic media that contain Electronic PHI into and out of a group health plan and the movement of those items within a group health plan.

Technical safeguards

The technical safeguards focus on verifying the identity of the user accessing an electronic network, files or applications, controlling the data the user has access to, and using measures to protect data in the event that it is intercepted during transmission. The specific standards are:

• Access control - Policies, procedures, and processes must be developed and implemented for electronic information systems that contain Electronic PHI to only allow access to persons or software programs that have appropriate access rights.
• Audit controls - Mechanisms must be implemented to record and examine activity in information systems that contain or use Electronic PHI.
• Integrity - Policies, procedures, and processes must be developed and implemented that protect electronic PHI from improper modification or destruction.
• Person or entity authentication - Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to Electronic PHI are who or what they claim to be.
• Transmission security - Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to Electronic PHI that is being transmitted over the Internet or other electronic communications network.

Business associates

Most group health plans rely on assistance from a variety of businesses, vendors, contractors, and outsourcers that must have access to PHI to perform their jobs properly. A group health plan is required to enter into business associate contracts with such business associates establishing the permitted and required uses and disclosures of such information by the business associate, including prohibitions that preclude the business associate from using or disclosing PHI in a manner that would violate the Security and Privacy Rule.

A business associate is defined as any entity which, on behalf of a group health plan, performs or assists in the performance of functions that involve the use of PHI, such as claims processing or administration, data analysis, billing, benefit management, utilization reviews, or quality assurance. Furthermore, if an entity provides legal, accounting, consulting, management, administrative, or financial services for a group health plan in any other capacity other than as an employee of the group health plan, and the provision of such services involve the use of PHI, such entity is treated as a business associate.

A business associate contract must provide that the business associate agrees, among other things, to:

• not use or further disclose the PHI other than as permitted or required by the contract or as required by law
• use appropriate safeguards to prevent use or disclosure of the PHI, other than as provided for by its contract
• implement administrative, physical, and technical safeguards to protect the confidentiality of electronic PHI that it creates, receives, maintains, or transmits on behalf of the covered entity and to otherwise comply with the Security Rule in performing Its obligations under the agreement
• report to the group health plan any use or disclosure of PHI not provided for by its contract of which it becomes aware
• ensure that any agents of the business associate, including subcontractors, agree to the same restrictions and conditions that apply to the business associate with respect to PHI received from such business associate or generated on behalf of the group health plan
• ensure that, at the termination of the contract, the business associate returns or destroys all PHI that it maintains on behalf of the group health plan
  • Note: If such return or destruction is not feasible, the contract must provide that the protections contained therein will continue to apply to the remaining PHI.
• require the business associate to maintain records for HHS inspection
• allow the group health plan to terminate the contract if the group health plan determines that the business associate has materially violated the contract.

Certain other provisions, including indemnification for breaches and provisions providing for business associate compliance with the breach notification requirements, are now required as a result of regulations published in 2013 to implement HITECH. Further, many business associate agreements now contain indemnification or other provisions requiring the business associate to cover the costs of a breach by the business associate or any of its subcontractors.

In addition, HITECH required that business associates must comply with the Security Rule and the use and disclosure provisions of the Privacy Rule, and would be subject to HIPAA’s penalties for violations or non-compliance with these provisions. Such compliance steps would, at a minimum, include items such as:

• Conducting a written security risk analysis.
• Designating a security officer.
• Implementing required security policies and procedures.
• Implementing technical security measures and facility access controls.
• Conducting  HIPAA training programs for staff and management.
• Entering into business associates agreements with subcontractors with whom PHI is shared.
• Developing policies and procedures to provide breach notification to the covered entity upon discovering a privacy or security breach.

Documenting health plans

All policies and procedures must be written and documented. A group health plan must maintain all documentation (that is, policies, procedures, records of actions, activities, or assessments) required by the Security Rule for a period of six years from the later date of its creation or the date when it last was in effect. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, a group health plan must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of Electronic PHI.

Penalties for noncompliance

The penalties for failing to comply with the Security and Privacy Rules have become tougher as a result of HITECH. There are now four tiers of civil penalties. At the lowest tier, where the group health plan does not know of a violation, penalties are not less than $119 and no more than $59,422 per violation, with an annual cap of $1,785,651 for identical violations. For a four-tier violation, which involves willful neglect and a practice that was not corrected within 30 days, the penalties are no less than $59,422 per violation with an annual cap of 1,785,651 for identical violations. As a result of HITECH, state attorney generals may bring civil actions in federal district court on behalf of their residents for violations of the Privacy and Security Rules.

Where to go for more information

Employee Benefits Security Administration (EBSA), Department of Labor

• https://www.dol.gov/agencies/ebsa
• Toll-free (866) 444-EBSA (3272)

• https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html