How Group Health Plans can Ensure HIPAA Compliance

This article was also featured in Compliance Today:  How Group Health Plans can ensure HIPAA Compliance

Because not every group health plan (GHP) must comply with all the provisions of the Omnibus Final Rule, some plans may not be as vigilant as other covered entities in meeting the new requirements. Yet GHPs are still subject to enforcement actions and audits conducted by the Office for Civil Rights (OCR). And with the launch of that organization’s online complaint form, it’s easier than ever for someone to report suspected violations of HIPAA privacy or security rights, which often result in an OCR investigation In 2013, 93% of the complaints filed were determined to result from a violation and 26% of those resulted in OCR corrective actions plans.

The HITECH Act gave state attorneys general (SAG) jurisdiction to file civil suits on behalf of their citizens who claim HIPAA violations.  And to help them use their new authority to enforce the HIPAA Privacy and Security Rules, the OCR developed HIPAA enforcement training specifically for SAGs.

With the update to the civil monetary penalty system by the Omnibus Final Rule, the penalties for HIPAA violations have grown far more severe. In the case of willful neglect, the maximum fine has risen from $25,000 per violation to $1.5 million. And since a data breach typically involves multiple violations, a GHP can potentially face penalties totaling many millions of dollars.

Most covered entities have relatively clear-cut HIPAA compliance requirements, the rules vary significantly from one GHP to the next depending on the services the plan provides and the information it shares with the plan sponsor.

GHPs can take a number of steps to reduce their exposure to OCR penalties and audits—and to ensure that they’re doing everything appropriate to comply with the latest Omnibus Rule requirements.

A closer look at GHP responsibilities

GHPs with fewer than 50 participants are not considered covered entities under HIPAA and, therefore, aren’t required to comply with the Omnibus Rule. But all other GHPs, even fully insured ones, have specific obligations under the HIPAA Privacy and Security Rules and the HITECH Breach Notification Rule.

The entire Security Rule applies to those GHPs that create, receive, maintain, or transmit protected health information (PHI) of their covered members. Provisions in the Privacy Rule that may be pertinent include individual rights, uses and disclosures, notice of privacy practices, and administrative requirements.

If a GHP provides health benefits solely through an insurance contract with a health insurance issuer or HMO (whether fully insured or self-insured) and provides only enrollment, participation, and summary information, the GHP will only need to comply with some of the administrative requirements of the Privacy Rule. These include obligations of “no waiver of rights,” “refraining from intimidation or retaliatory acts,” and documentation with respect to amended plan documents.

On the other hand, if a GHP discloses additional PHI (or allows a health insurance issuer or HMO to disclose it) to the plan sponsor, the GHP must first ensure than the plan documents restrict uses and disclosure of such information by the sponsor, consistent with HIPAA requirements. Specifically, the plan documents must include a certification from the plan sponsor that:

  • Restricts uses and disclosure of PHI without authorization;
  • Ensures that any agents, including a subcontractor, to whom it provides PHI received from the GHP agree to the same restrictions and conditions that apply to the plan sponsor;
  • Provides for certain rights of individuals;
  • Makes information available to the Secretary of the Department of Health & Human Services (HHS) for determining compliance;
  • Provides for the return or destruction of information received from the GHP; and
  • Ensures adequate separation between the GHP and plan sponsor.

In this case, the GHP must also comply with all administrative requirements of the Privacy Rule and provide a Notice of Privacy Practices to members of the plan.

Business associates now on the radar

With the passage of the Omnibus Final Rule, HIPAA’s expanded Privacy, Security, and Breach Notification Rules now apply to a GHP’s many business associates—including service providers who handle enrollment, eligibility, claims management, and collection. Last year, business associates were responsible for disclosing nearly 13 million patient records.

For this reason, GHPs are required to have business associate agreements for all service providers who have access to PHI. These agreements must include language that imposes the same PHI restrictions and conditions that apply to the plan sponsor.

A business associate agreement is not required if the GHP documents have been amended to limit PHI disclosures—or if the disclosures are limited to summary health information from the GHP for obtaining bids or modifying or terminating the plan, or an individual’s participation, enrollment, or disenrollment in a plan. Summary health information means that the information that identifies the individual claims history, claims expenses, or type of claims experienced by individuals has been de-identified, except that the geographic information need only be aggregated to the level of a five digit zip code

Action plan for GHPs

Here are some practical steps that every GHP can take to help prevent costly HIPAA violations.

Establish organizational accountability
Most covered entities have a HIPAA oversight committee and a chief compliance officer, and GHPs should do the same. It’s important to establish accountability for a robust compliance program.

Assess your current program
This work begins by identifying applicable HIPAA requirements based on the activities of the GHP and the health information shared with the plan sponsor and business associates. Next, determine exactly where PHI “lives” in the organization – on paper, electronically, orally, etc. It’s advantageous to conduct an internal privacy, security and breach notification compliance assessment to shine the spotlight on compliance gaps and weaknesses that need to be addressed.

Make appropriate workflow changes
It’s important to reduce the amount of PHI the plan sponsor sees or retains to the minimum necessary for various tasks. If adequate separation between the GHP and plan sponsor is required, it’s essential to document which team members (typically HR Benefits) have access to PHI, how that access is authorized, procedures for initiating and terminating access, and the measures in place for resolving noncompliance issues.

Clarify policies and procedures
Every GHP should create formal policies and procedures to ensure compliance with new HIPAA privacy, security and breach notification requirements. This includes clearly communicating the disciplinary consequences for any employee who fails to abide by the rules. Periodically review the plan documents to make necessary changes and obtain required certifications from the plan sponsor. If a Notice of Privacy Practices is required from the GHP, make sure that it’s updated as needed.

Implement a comprehensive training program
All GHP employees must receive thorough training regarding HIPAA policies and procedures. Maintain copies of your training materials and accurate records of training attendance to demonstrate your commitment to HIPAA adherence.

Test your readiness
Don’t wait for a bad thing to happen. Proactively establish procedures for processing complaints, privacy violations, and security incidents to ensure prompt reporting and well-documented investigation, mitigation, and remediation activities. The GHP should also document and test a data breach determination process and response plan.

Complete a HIPAA security risk analysis

Most GHPs are now required to conduct a bona fide HIPAA security risk analysis in which PHI threats, vulnerabilities, safeguards, and controls are examined in detail. This is a more exhaustive process than an internal assessment, and there’s a reason why it’s now mandatory. In the last year alone, the OCR imposed data breach corrective action plans and settlements on many healthcare covered entities, all with one common denominator: None of them had conducted a full-fledged security risk analysis.

HIPAA privacy and security violations can be very costly, not just financially but to a GHP’s reputation. By taking the steps outlined here, you can help ensure that your GHP doesn’t see its name appear on HHS’s “Wall of Shame”—a list that’s growing longer every day.

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.