The new federal protected health information privacy and security final regulations will tighten the rules governing how health insurance agents and brokers share “protected health information” (PHI).

Mark Holloway, a lawyer in the health reform advisory practice at Lockton Benefit Group, talks about the changes in a commentary on the regulations.

In the past, Holloway said, federal Health Insurance Portability and Accountability Act (HIPAA) privacy and data security rules applied directly only to health insurers, hospitals, medical offices and other “covered entities.”

A health insurer had to negotiate health information confidentiality agreements with health insurance agents, health insurance brokers and other “business associates,” but the business associates simply had to abide by the confidentiality agreements, Holloway said.

“Business associates were contractually liable to the plan if there was a breach but were not subject to direct oversight” by the regulatory agency that enforces the HIPAA rules,” the U.S. Department of Health and Human Services (HHS), Holloway said.

Under the laws now in effect, “the HIPAA privacy and security rules directly apply to business associates, as do HIPAA’s civil and criminal penalties,” Holloway said. “Thus, business associates must develop formal policies and procedures to demonstrate compliance with the HIPAA rules, as well as designate their own privacy and security officials.”

In the final regulations, HHS has now decided to include a business associate’s subcontractors in the definition of “business associate,” Holloway said.

“This means that the HIPAA confidentiality obligations and enforcement regime would extend to these subcontractors (even though they do not have a direct relationship to the health plan) to the extent that the subcontractors create, maintain or transmit [protected health information (PHI)] on behalf of the business associate,” Holloway said.

HHS developed the new final health information privacy and security regulations to implement parts of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Patient Protection and Affordable Care Act of 2010 (PPACA).

The final regulations are set to take effect March 26.  Health insurers and health producers, and other covered entities and business associates, are supposed to start complying with the regulations by Sept. 23. Business associates will then have a year to shift to using contracts that reflect the new security and privacy regulations.

Holloway noted in a discussion of the rules for subcontractors that a holder of PHI will have to negotiate just one layer of PHI protection contracts.

A health plan, for example, would have to negotiate a contract with a benefit plan administrator.

If the benefit plan administrator hires a utilization review company, the administrator would be the party responsible for negotiating a PHI protection agreement with the utilization review company, Holloway said.

The HIPAA privacy and security rules will apply, however, even in cases in which a holder of PHI has no formal contract with a business associate or that business associate’s agent, Holloway said.

“Because direct business associates are liable for HIPAA breaches by their subcontractors, business associates need to identify all agents and subcontractors with access to PHI and ensure there is a written agreement in place with appropriate indemnification language that protects the direct business associate in the event the subcontractor commits a HIPAA violation,” Holloway said.

The completion of the final regulations may change the way HHS enforces the regulations.

In the real world, however, many affected organizations started addressing the broader HIPAA privacy and security requirements in business associate agreements created after the HITECH Act expanded the requirements in 2009, Holloway said.

Making a serious effort to comply with the regulations is worthwhile, because the penalty amounts can range from $100 per violation, for one violation, if the person does not know of the violation, up to $1.5 million per year for a series of identical violations.

One mitigating factor regulators will weigh when determining penalty amounts is whether a health plan or business associate has had a history of compliance or noncompliance with HIPAA rules, Holloway said.

See also: