Search the LHSFNA website
Published: April, 2013; Vol 9, Num 11

 

Final HIPAA Rule Invites Multiemployer Plan Reviews

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and updated in 2005, but new regulations were required to bring HIPAA rules into compliance with the Patient Protection and Affordable Care Act (PPACA) of 2010.

The new regulation was issued in February, takes general effect on March 23, 2013, and requires compliance by multiemployer plans by September 23, 2013. Because the new regulation has tougher enforcement requirements than in the past, now is the right time for LIUNA Health & Welfare funds to review their contracts and protocols to be sure they are in compliance.

In particular, funds should confirm:

  • Compliance with the HIPAA security rule, including plan amendments, policies and procedures
  • Timely distribution of privacy notices
  • Written agreements with all business associates
  • Policies and procedures for privacy, security and breach notification that meet the requirements of the final regulation

In general, multiemployer plans and business associates (third-party administrators, actuaries, accountants, consultants, etc.) who use or disclose protected health information (PHI, including electronic PHI) in performing services for multiemployer plans should take action now to ensure compliance by September 23.

Business Associates

Previously, it was the responsibility of the multiemployer plan to (a) maintain policies and procedures for privacy, security and breach notification compliance; (b) maintain agreements with business associates; (c) train members of their workforce to use and disclose PHI appropriately; and (d) distribute a notice of privacy practices to plan participants at appropriate times.

Under the final rule, however, business associates that have access to PHI are now directly liable for civil and criminal penalties for certain HIPAA breaches. They must establish and maintain protocols to implement required safeguards, train their workforce to comply and document compliance. Business associates must enter into written contracts with funds and with their subcontractors to maintain such compliance systems.

Plan sponsors should review and revise contracts with business associates to make sure they are compliant with the final rule. Agreements should include indemnification for HIPAA violations by business associates as well as respective responsibilities between the sponsor and the business associate should a breach notification be required.

Related Concerns

  • GINA Compliance. Under the Genetic Information Nondiscrimination Act of 2008 (GINA), the final rule specifies that genetic information may not be used or disclosed for underwriting purposes. A fund's notice of privacy practices for participants must include a provision describing PHI disclosure restrictions under GINA.
  • Notice of Privacy Practices. Contrary to an earlier rule that required notice within 60 days of any material change in privacy practices, the final rule requires plans that post their privacy rules on a website to meet their notification requirement by posting a website notice of a material change by its effective date and notifying participants of the change in the notice of the next annual meeting. A plan's privacy notice must also include a statement that the plan is required to notify affected individuals following a breach of unsecured PHI.
  • Breach Notification. Under the final regulations, a breach requiring notice to affected participants, HHS and, in some cases, the media is presumed to have occurred whenever PHI maintained by the plan or business associate is acquired, accessed, used or disclosed in a manner that violates the privacy rule. The presumption can be rebutted (negating the need to inform participants, HHS or the media) if the plan or business associate demonstrates, pursuant to four factors provided under the final regulations, that there is "low probability" that PHI has been compromised.
  • Enforcement. Multiemployer plans and business associates are subject to civil and criminal penalties for HIPAA violations.

The information provided herein is general guidance for LIUNA Health & Welfare funds and their business associates. Specific circumstances require the assessment and advice of attorneys and special advisors.

[Steve Clark]