When legislators pieced together new provisions for the Health Insurance Portability and Accountability Act early this year in the American Recovery and Reinvestment Act of 2009 (the stimulus), they erected a complex set of legal hurdles for health plans to clear.
One of the biggest changes is a move to include “business associates” of the original covered entities — health plans, providers, and clearinghouses — under the law. For health plans, those business associates include vendors of professional services such as electronic prescribing technology and accounting. Insurance brokers too.
Now, a great number of health plan associates have legal responsibility to comply with HIPAA, including a requirement to work through health plans when there is a security breach — essentially when a member’s health care information winds up in the wrong hands. Each of those business associates is required to alert the health plan when it learns that there has been a security breach, and the health plan has to alert the member and, under certain conditions, the news media as well.
But it didn’t take long for Kirk Nahra to spot a potential trouble spot in the new provisions.
“Here is the problem,” says Nahra, a prominent health plan lawyer at Wiley Rein, a Washington area law firm, who has been grappling with the new rules. Once they take effect, a business associate will have 60 days to notify the health plan of a breach, and the plan, curiously, has the same 60 days to send out the breach notice. If the business associate waits well into that period before alerting the MCO, the health plan could be left with little or no time to comply with the law. As a result, health plans have already begun scrambling to include breach notification provisions in their contracts that will give them the time to be compliant.
This is just one of several new legal responsibilities for the clinical executives of health plans to be aware of. With security and privacy executives taking the lead, insurers are being required to execute a series of fast-paced changes to the way they do business over the rest of the year.
Aside from the key business associate rules, there is a new mandate to strip data of personal identification whenever possible. And just weeks ago, the Department of Health and Human Services consolidated enforcement of both security and privacy provisions into a modestly beefed up Office of Civil Rights (OCR), signaling to some that after more than five years of limited oversight, the federal government may be planning to step up its enforcement of the law.
What is a breach?
Under the ARRA the government added billions of dollars in new incentives to push health care into the digital age, which is likely to increase the anxiety that people have about the security of their data, according to Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. And the government responded by making HIPAA’s security and privacy rules more comprehensive while sharpening its enforcement claws.
“We wanted breach notification,” says McGraw. “It’s important for patients to know when their data have been seen by unauthorized people, or an authorized person, for an unauthorized purpose. Previously, when data went to the business associate, if the business associate didn’t comply with the terms of its contract, the government couldn’t hold it accountable. If the covered entity did nothing, nothing was done. That was unacceptable.”
There isn’t much time left for plans and other covered entities to get ready for the change. Once HHS clarified the breach notification rules in mid-August — detailing when covered entities are required to alert people to a breach — they were slated to be in effect in 30 days. Everything else in the law takes effect in February.
“These organizations have hundreds, if not thousands — in some cases tens of thousands — of business associates,” says Daniel Nutkis, CEO of the Health Information Trust Alliance, which collaborated with the various players in health care to work on a standardized security framework that helps organizations comply with HIPAA as well as other regulations and standards. “If you look at the process to date, health plans are likely to be the first organizations providing oversight of business associates and making sure that business associates are doing what they should be doing.”
All health plan contracts will have to reflect the new relationship, says Kimberly Gray, who recently moved from her post as chief privacy officer at the Pennsylvania insurer Highmark to the same position at IMS Health. And Gray notes that many health plans wear two hats under HIPAA — one as an original covered entity and the second as a business associate of self-insured employers. Some employers that are self-insured may want to delegate security breach notification to their business associates — in this case the health plan.”
Like other covered entities, MCOs are also going to have to learn how to strip out as much patient identifying information as can reasonably be expected from the mountain of data that they manage.
“From a privacy standpoint, use of data stripped of identifiers, such as in a limited data set, is more protective while still retaining the data’s utility,” says McGraw. “I’m not sure how new provisions encouraging the use of a limited data set are going to be interpreted by OCR, though. It tells covered entities that if they use limited data sets, they are in compliance. But you don’t have to use limited data sets if they won’t work for a particular purpose.”
In most cases, the health plans can’t use limited data sets, says Nahra. The river of claim reports that flows through health plans typically deals with the treatment a patient received — and that has to remain fully identifiable.
There is an added motivation for health plans and the other covered entities to shift stances quickly to accommodate the new law. The expansion of HIPAA includes much more muscular penalties for plans that violate the law. Individual security infractions that had warranted civil penalties of $100 each now can cost $50,000, with an annual maximum of $1.5 million. And state attorneys general were given a green light to go after HIPAA cases.
On the federal side, HHS’s recent consolidation of enforcement of both security and privacy provisions in the Office of Civil Rights is seen by some as a sign of renewed determination to make the law stick.
“It signals a degree of seriousness on the part of policymakers to deal with this issue — the need for HHS and OCR in particular, along with the National Coordinator for Health Information Technology, to really be more aggressive about HIPAA all around,” says McGraw.
“I do think the new administration with these new tools is going to be more active,” says Nahra. But he isn’t speculating yet on how much more active the feds will become. “The OCR was also accused of not enforcing the law. They have more authority [now], but it doesn’t say whether they are going to use it.”
A health plan can only extract personal patient data when identification isn’t required, says Kirk Nahra, a health insurer lawyer. In most cases, health plans cannot use limited data sets.
“It’s important for patients to know when their data have been seen by unauthorized people,” says Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.
Plans have long been one of the most compliant industries that have to adhere to HIPAA, says Kimberly Gray, chief privacy officer at IMS Health. She sees no surge of enforcement activity on the way.