Privacy (Use and Disclosure of PHI)

 

HIPAA’s Privacy and Security Rules

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) and Standards for Security of Individually Identifiable Health Information (“Security Rule”), promulgated under HIPAA, establish a set of national standards for the protection of certain health information. This section will primarily address the Privacy Rule as it specifically relates to health plans. The Security Rule is addressed in a separate section of the Dashboard.

Covered Entities

The Privacy Rule standards address the use and disclosure of individually identifiable health information (called “protected health information” or “PHI”) by organizations subject to the Privacy Rule (“Covered Entities”). Covered Entities include health care providers, health plans, and health care clearinghouses.  The Privacy Rule also contains individual privacy rights with respect to use, disclosure, and access to individual PHI in the possession of Covered Entities.  The Security Rule addresses various procedural, technical, and administrative safeguards that must be implemented for protection of electronic PHI (“ePHI”).

Although an employer may sponsor a health plan, the plan and the employer are regarded as two separate entities for purposes of the Privacy Rule.  This concept and its consequences are often misunderstood.  For a handy refresher on what this means, please see the “FAQs on the Delicate Relationship Between Employers and Their Self-Insured Health Plans”.

For general help in determining who is a Covered Entity, click here to use the decision tool.

What is PHI?

The Privacy Rule governs the way health plans handle “Protected Health Information” (“PHI”). PHI is individually identifiable health information held or transmitted by a Covered Entity or its business associate, in any form or media, whether electronic, paper, or oral.

Health information is information that:

• is received or created by various organizations and individuals, specifically including employers and covered entities such as employers’ health plans; and
• relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Health information is individually identifiable if it is received or created by various organizations, specifically including employers and their health plans; and identifies the individual to whom it relates, or in the reasonable view of the disclosing party, can be used to identify the individual.

Common individual identifiers that may create PHI include:

• Name
• Address
• Phone Number
• Birth Date
• Social Security Number
• Email Address

Of course, this information must bear some relationship to health information; i.e., it must be associated with information about a person’s medical condition, treatment, or payment.  For example, a person’s name and SSN is not PHI; however, that same information along with name of the person’s health plan or insurer is PHI.

In addition, the information will be considered PHI if it can be combined with other available information to determine identity.

PHI does not include health information maintained by an employer in its capacity as an employer.  For example, medical information maintained by an employer in connection with its compliance obligations under the FMLA, ADA, workers compensation laws would not be considered PHI.

De-Identified Information

PHI that has been de-identified is no longer considered PHI and therefore may be used and disclosed for any purpose.  This simply means that all the information in the PHI that could be used to identify an individual has been removed.

The government has provided safe-harbor guidance for de-identification.  It consists of two parts:

• a list of 18 specific identifiers must be removed; and
• absence of actual knowledge that the remaining information could be used to identify an individual.

See Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act Privacy Rule, (“Guidance”).

The 18 Identifiers

The following identifiers of an individual or of relatives, employers, or household members of the individual, must be removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers.

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code.

The Absence of Actual Knowledge

Actual knowledge means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information.  According to the Guidance, a covered entity has actual knowledge if it concludes that the remaining information could be used to identify the individual.

This suggests that a health plan would be well advised to reach no conclusions about the propensity of the remaining information to identity an individual.  Unsurprisingly, this does not appear to be an option.  Several hypotheticals in the Guidance describe scenarios in which the covered entity “must have concluded” that the information in question could identify an individual.  The hypotheticals do not state that the covered entity did, in fact, reach that or any other conclusion or that it even considered the actual knowledge test.

Plans Covered

The Privacy Rule applies to “health plans”; i.e., individual and group plans that provide or pay for the cost of medical care, including:

• Health, dental, vision, and prescription drug insurers
• Health maintenance organizations (“HMOs”)
• Medicare, Medicaid, Medicare+Choice and Medicare supplement insurers
• Long-term care insurers (excluding nursing home fixed-indemnity policies)
• Employer-sponsored group health plans
• Government and church-sponsored health plans
• Multi-employer health plans

This includes employer-sponsored medical plans and most dental, and vision care plans.  Health FSAs and HRAs are also health plans covered by the Privacy Rule.  So are wellness programs that include screenings.

There is a narrow exception from HIPAA’s Privacy Rule for plans that are self-insured, self-administered, and have fewer than 50 participants.  In addition, there is an exception for certain “excepted benefits.” However, stand-alone dental and vision plans remain subject to the rule (even though they are considered excepted benefits for other purposes.)

Core Privacy Requirements

The Privacy Rule provides comprehensive Federal protection for the privacy of health information. This rule, which became effective on April 14, 2003, set national standards for the protection of health information, as applied to the three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically.  Failure to implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.

PHI Use/Disclosure

Covered Entities cannot use or disclose PHI except as permitted or required under the Privacy Rule.  Permitted uses and disclosures include those made for purposes of treatment, payment, and health care operations, those made pursuant to an authorization, and those permitted due to an exception in the Privacy Rule.

Treatment

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers.  A health plan may use and disclose PHI for its own treatment activities and those of a health care provider.

Some Examples:  An employer-sponsored health plan typically will not provide any treatment; however, employers with wellness programs, EAPs or on-site medical clinics may have plans that provide treatment.  In any event, a health plan may share PHI with a person’s doctor if the latter needs it for treatment purposes.

Payment

Payment, for a health plan, means activity to obtain premiums; to determine the amount of benefits due; and to provide reimbursement.  A health plan can use and disclose PHI for its own payment operations and disclose it to another covered entity or a health care provider for the payment activities of the recipient.

Some Examples:  A health plan can use and/or disclose PHI:

• to another health plan for coordination of benefits.
• to pre-certify treatment.
• to determine medical necessity, whether a treatment is covered and the appropriateness of charges.
• by sending an EOB to an employee, even if the EOB contains PHI of the employee’s covered spouse or dependents.
• to enforce its subrogation rights.
• to obtain payment under a stop-loss contract.

Healthcare Operations

Healthcare operations are certain specified activities related to payment and treatment.  They include health care fraud and abuse detection activities, quality assessment, population-based studies of health care costs, protocol development, and case management.  A health plan can use and disclose PHI for its own healthcare operations.   It may also disclose PHI to another covered entity for the purposes of the recipient’s healthcare operations.

Some Examples: A health plan can use and/or disclose PHI:

• to identify plan participants that might benefit from certain plan provided benefits or treatment.
• to secure coverage under a stop-loss insurance policy.
• to audit the plan’s TPA and other service providers.
• to assist with plan design and project funding needs.

Minimum Necessary

Disclosures must meet a “minimum necessary” standard:  health plans must take reasonable steps to ensure that PHI used, disclosed, or requested is limited to the minimum amount of information necessary to accomplish the intended purpose of the use, disclosure or request.  Access must be limited to only individuals who need access to carry out their job-related duties.  Policies and procedures must be adopted to limit PHI disclosures to meet the minimum necessary standard.

The default minimum necessary standard of disclosure is the “limited data set”.  A “limited data set” is PHI that has been partially de-identified, meaning that all of the 18 identifiers listed in the Privacy Rule have been removed except for dates (Item (C) in the list above) and the zip codes (Item (B) above).    The limited data set should be used unless the health plan determines that this limitation is not practicable to accomplish the purpose of the use or disclosure.

Required Disclosures

The Privacy Rule requires disclosure of PHI in several circumstances; however, most employers and employer health plans are likely to encounter only three:

1. to respond to a request by an individual exercising his individual rights (see Individual Rights, below);
2. to cooperate with the Department of Health and Human Services in connection with its HIPAA enforcement and compliance review activities; and
3. in response to a subpoena or as otherwise required by law (i.e., the request is enforceable in court).

Permitted Disclosures

Permitted exceptions to the PHI disclosure restrictions include public policy exceptions, such as disclosures in judicial or administrative legal proceedings, or disclosures required to avert a serious threat to public health and safety.  Disclosures may also be permitted in limited circumstances, for example:

• when an individual has been given a chance to agree or object to the disclosure in accordance with specified procedures.
• when an individual is present at the time of the disclosure and the health plan can infer from the circumstances that the individual does not object.
• when an individual is not present at the time of the disclosure and the health plan believes, in the exercise of its professional judgment, that disclosure is in the best interest of the individual.

Authorized Disclosures

If a use or disclosure of PHI is neither permitted nor required, the covered entity must obtain an authorization. Authorizations to use and disclose PHI must be voluntarily executed by the individual whose PHI is being used or disclosed. The authorization form must meet specific formal requirements to comply with the Privacy Rule.

Incidental Disclosures

The Privacy Rule permits what it calls incidental disclosures.  These are inadvertent disclosures of PHI that may occur in the ordinary course of an otherwise permitted use or disclosure and in spite of the fact that the health plan had implemented reasonable safeguards to prevent the disclosure and had implemented the minimum necessary standard.  Government guidance gives the following example:

A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information.  If the health plan employee made reasonable efforts to avoid being overheard and reasonably limited the information shared, the incidental disclosure resulting from the conversation would not violate Privacy Rule.

Individual Rights

HIPAA affords individuals certain rights to access and manage their PHI.

Right of Access: An individual has a right to inspect and copy his or her own PHI maintained by a health plan in a “Designated Record Set” (DSR).

• The plan must respond within 30 days; however, a plan may obtain a 30-day extension.
• If a person requests a copy of the records, the plan may charge a fee (but not more than what is required to cover the cost of labor, supplies and postage).
• A plan may (but is not required to) deny a request for access in certain specified circumstances. Most of these exceptions are more relevant to health care providers than they are to health plans but the latter might invoke them if the requested information was compiled for a legal proceeding; if disclosure would violate a confidentiality obligation owed to a third party; or if a licensed health professional determines that disclosure would present a danger to the life or safety of the individual or another person.

Right to Amend or Correct PHI:  An individual has a right to amend or correct PHI in a DSR if the information is incorrect or incomplete.

• The plan must respond within 60 days with an available 30-day extension.
• The plan may deny the request if it did not create the PHI (e.g., PHI received from a health care provider); if the PHI would not be available pursuant to the right of access; or if the plan determines that the PHI is in fact correct or complete.

Right to Obtain an Accounting of Disclosures:  An individual has the right to obtain an accounting of disclosures of his or her own PHI made within 6 years before the date of the request.

• The plan must respond within 60 days with an available 30-day extension.
• The accounting must include:
  • the date of the disclosure;
  • the name of the entity or person who received the protected health information and, if known, the address of such entity or person;
  • a brief description of the protected health information disclosed; and
  • a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.
• However, certain disclosures need not be included in the accounting. For health plans, the most commonly seen exceptions are likely to be disclosures:
  • to carry out treatment, payment and health care operations;
  • incidental to a permitted use or disclosure;
  • made to individuals of protected health information pursuant to the Right of Access;
  • pursuant to an authorization;
  • as part of a limited data set.

Right to Request Restrictions of Uses and Disclosures:  An individual may request that a health plan restrict the uses and disclosures of PHI to carry out treatment, payment and health care operations; however, the plan does not have to grant such requests and, in our experience, most plans routinely deny them.

Right to Request Alternate Communications:  A health plan must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.

Right to Receive a Notice of Privacy Practices: An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the health plan, and of the individual’s rights and the plan’s legal duties with respect to PHI. A model privacy notice can be found here. Plans may use HHS’ Model NPP template; choose the Health Plan version!

• The notice must be provided at the time an individual enrolls for coverage.
• In addition, at least once every three years, the health plan must notify individuals covered by the plan of the availability of the notice and how to obtain the notice.
• The plan must promptly revise and distribute its notice whenever there is a material change to the uses or disclosures, the individual’s rights, the covered entity’s legal duties, or other privacy practices stated in the notice.
• If the health plan maintains a website, the privacy notice and any changes to the notice must be prominently posted there.

As discussed below, a fully-insured plan that receives no PHI (other than summary health information) does not need to have a privacy notice.  A fully-insured plan that receives PHI that exceeds what would be considered summary health information must maintain a privacy notice; however, it does not have to provide the notice except upon request.

Implementation

Implementation Requirements for Employers with Fully-Insured Plans if They Receive No PHI

The Privacy Rule does not impose a big compliance burden on an employer that provides health benefits only through fully-insured plans and receives no (or almost no) PHI.  The only administrative requirements that apply are those related to waiver and non-retaliation (see below).  In addition, such an employer can receive PHI in the form of:

• enrollment and disenrollment information; and
• “summary health information” for specified purposes;

without any additional compliance requirements.

Summary health information is information that summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom a plan sponsor has provided health benefits under a group health plan; and from which the 18 identifiers discussed above have been deleted, except that the geographic information need only be aggregated to the level of a five digit zip code.

The specified purposes are:

• obtaining premium bids for health insurance coverage under the group health plan; and
• modifying, amending, or terminating the group health plan.

Implementation Requirements for Employers with Self-Insured Plans or Who Receive PHI

Employers that sponsor self-insured health plans (even if they don’t receive PHI) and employers that receive PHI with respect to their fully-insured health plans need to follow a rigorous path to compliance.

There are actually two sets of requirements here.  One set applies directly to the sponsoring employer; it details what an employer must do in order to receive the PHI it needs to fulfill the second set of requirements and perform other plan-related functions.  The second set applies to the health plan itself, although as a practical matter, in most cases, it will be the sponsoring employer that actually implements the requirements.

Employer Requirements

In order for a health plan or insurer to disclose PHI to an employer, the employer’s health plan must include provisions that:

• Establish the permitted and required uses and disclosures of such information by the plan sponsor.
• Provide that the plan will disclose protected health information to the employer only upon receipt of a certification by the employer that the plan documents incorporate the following provisions and that the plan sponsor agrees to:
  • Not use or further disclose the information other than as permitted or required by the plan documents or as required by law;
  • Ensure that any agents to whom it provides PHI agree to the same restrictions and conditions that apply to the employer with respect to such information;
  • Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan;
  • Report to the plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware;
  • Make available information as needed to enable the plan to comply with its obligations related to individual rights;
  • Make its internal practices, books, and records relating to the use and disclosure of PHI received from the group health plan available to the government for purposes of determining compliance by plan’s compliance with the privacy rule; and,
  • If feasible, return or destroy all PHI received from the plan that the employer still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible
• Provide for adequate separation between the plan and the employer. The plan documents must:
  • Describe those employees or classes of employees or other persons under the control of the employer to be given access to PHI.  This must include any employee or person who receives PHI in the ordinary course of business;
  • Restrict the access to and use by such employees and other persons to the plan administration functions that the employer performs for the plan; and
  • Provide an effective mechanism for resolving any issues of noncompliance with the employer requirements.

Plan Requirements

A health plan must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity; and a contact person or office who is responsible for receiving complaints about Privacy Rule violations and who is able to provide further information about matters covered by the plan’s notice of privacy practices.

Of course, this means that a health plan must also provide a process for individuals to make complaints and provide that it can’t retaliate against a person who makes a complaint, testifies against or opposes any practices of a plan on the grounds that it has violated the Privacy Rule.

Moreover, a health plan cannot require a person to waive any rights they may have under the privacy rule as condition of enrolling in or receiving benefits from the plan.

A health plan must implement policies and procedures with respect to PHI that are reasonably designed to ensure such compliance with the Privacy Rule.

A health plan must mitigate, to the extent practicable, any harmful effect that is known to the plan of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the plan or its business associates.

Privacy Policy

A health plan must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

Plans must create, implement, and maintain written policies and procedures reasonably designed to ensure compliance with the Privacy Rule. Covered Entities often encapsulate such policies and procedures within a written Privacy Policy document. All self-insured plans must have a written Privacy Policy. Fully insured plans must have a Privacy Policy document if they receive PHI, subject to the two exceptions outlined above. (Anchor to the Implementation Section on the page just about this section.)

Additionally, Employers must decide whether to create a separate policy for each Plan or create one Policy document for all Plans. Factors affecting this decision include Plan type, location of employees, and Plan eligibility. Speak with counsel about this decision.

Unlike a Plan’s Security Policy, a Privacy Policy document may contain standardized legal language to conform it to the particulars of the HIPAA regulations. However, a Plan must still customize portions of the Privacy Policy with applicable Plan details and contact information.

Privacy Policy documents may contain some or all of the following sections (based upon language from HIPAA’s Privacy Rule)
Plan Name and Definitions from HIPAA’s statute.

• Permitted and Required Uses and Disclosures of PHI
• Prohibited Uses and Disclosures of PHI
• Disclosures to Persons Involved in the Care of an Individual
• Authorizations
• Inappropriate Uses and Disclosures of PHI
• Individual Rights
• Designation and Duties of the Privacy Officer
• Retaliation and Waiver
• Attachment: Privacy and Security Investigation Form

Creating the Privacy Policy is typically a duty of the designated Privacy Officer/Office but will require input from company personnel such as owners, directors, managers, counsel, and HR staff.

In Summary: A Privacy Policy must include information about:

• Plan(s) name
• contact information for your Privacy Officer and your Point-of-Contact for Complaints
• required and permitted uses and disclosures of PHI
• how issues of non-compliance will be resolved
• employees’ individual rights
• how often privacy policies will be updated (e.g., annually or as required by changes in the law or regulations.)
• a complaint procedure
• a sanctions policy for HIPAA Privacy Rule violations
• a procedure to mitigate harmful effects of improper uses and disclosures of PHI
• a policy on prohibiting retaliation against anyone who exercises HIPAA privacy rights

It is a best practice to maintain the Privacy Policy with its Notice of Privacy Practices and additional forms in a written format and update it at least annually.

Last, a Privacy Policy often contains an Appendix of forms containing the Plan’s Notice of Privacy Practices document (as required by HIPAA), as well as any forms the Plan creates for authorizations and restrictions of PHI.  Participant request forms may include the following:

• PHI Authorization
• Request to Inspect or Copy PHI
• Request to Restrict Disclosure of PHI
• Request to Receive an Accounting of Disclosures
• Request to Receive alternate Communications

Notice of Privacy Practices

Covered Entities must provide individuals with a notice of their privacy practices for PHI.  The notice must describe:

• the ways in which the Covered Entity may use and disclose protected health information (including at least one example);
• the Covered Entity’s legal duties with respect to PHI;
• an individual’s rights, including the right to complain to HHS and to the Covered Entity if they believe their privacy rights have been violated; and
• a point of contact for further information and for making complaints to the Covered Entity.

HHS has provided a model Privacy Notice. Plans may use HHS’ Model NPP template; choose the Health Plan version!

Providing the Notice

• A covered entity must make its notice available to any person who asks for it.
• A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.
• For Health Plans:
  • the plan administrator must provide the notice at the time of enrollment to individuals then covered by the plan and within 60 days of a material revision to the notice.
  •  The privacy notice may be included with other written materials, including the SPD or enrollment materials.
  • In addition, a reminder notice must be distributed every three years after initial issuance to individuals then covered by the plan, in order to notify individuals covered by the health plan that a notice of privacy practices is available and how to obtain it.

Security Breach Notification

If the security of Unsecured PHI is breached, the Covered Entity must provide notice without unreasonable delay and within 60 days after discovery of the breach.

• The 60 day time period begins to run upon knowledge of the event, even if it is unclear whether the incident is a breach.

This notice must be provided to:

• Impacted Individual: Written notice must be sent to the last known address.  If the Covered Entity does not have contact information for 10 or more affected individuals, then the Covered Entity must post a conspicuous notice in a major print or broadcast media in geographic areas where the individuals affected by the breach likely reside.
• Prominent Media Outlets: If the breach involves more than 500 individuals in a single state or jurisdiction.
• HHS: If the breach involves more than 500 individuals (regardless of their location) the Covered Entity must notify HHS immediately, which will identify the Covered Entity on its web site.  If the breach involved less than 500 individuals, the Covered Entity must maintain a log of security breaches and submit it to HHS on an annual basis.

Security Breach Definition

• The information is “unsecured” PHI, in other words, PHI that has not been encrypted or completely destroyed in accordance with HHS guidelines.
• The information was disclosed in an unauthorized manner.
• The use or disclosure poses a significant risk of financial, reputational, or other harm to the individual.
• The use or disclosure does not fall under an exception listed in the statute, including:
  • Unintentional access by a Covered Entity’s or Business Associate’s employee
  • Inadvertent disclosure from one Covered Entity or Business Associate employee to another similarly situated employee
  • The recipient would not reasonably have been able to retain the information

In order to determine whether a breach has occurred for which notification is required, a Covered Entity or Business Associate must determine whether the disclosure poses a substantial risk of personal, financial or other harm to the affected individual.  Accordingly, all Covered Entities and Business Associates must adopt a risk assessment procedure.

Content of Notice

• brief description of breach, including dates
• description of types of unsecured PHI
• steps impacted individuals should take to protect against potential harm
• brief description of steps the Covered Entity has taken to investigate the incident, mitigate harm and protect against further breaches
• contact information

Business Associates

Relationships with Business Associates

Employers often use third-party service providers to assist with the administration of their health plans.  If that assistance requires the third-party to handle PHI, it will be a “business associate” of the health plan and the Privacy Rule strictly regulates that aspect of the business relationship between the third party and the employer.  More specifically, a third-party service provider is a business associate if it:

• creates, receives, maintains, or transmits protected health information for a function or activity regulated by the Privacy Rule, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and repricing; or
• provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a health plan, where the provision of the service involves the disclosure of PHI to the third party.

This is permissible only if the Covered Entity and the Business Associate have entered into an agreement imposing specific obligations on the Business Associate with respect to the use and disclosure of PHI.   A model agreement was published as part of the DOL regulations that established the Privacy and Security Rule.

Pursuant to 42 CFR Part 2, self-insured plan sponsors (and applicable fully insured plan sponsors) receiving Substance Use Disorder (SUD) records as part of the administration of the group health plan (GHP) must ensure any GHP service provider agreements, including business associate agreements, contain a statement indicating SUD records will be protected. For example, the following statement may read, “42 CFR Part 2 prohibits unauthorized disclosure of these [SUD] records.”

Some employers may believe that they do not have any business associates if they have fully insured health plans.  However, employers should consider all aspects of their employee health benefit plans.  For example, an employer with a fully insured health plan may still have business associates acting on behalf of a plan if:

• It uses a broker that obtains PHI in order to quote coverage.
• It has a Health FSA.
• It has an HRA.
• It has certain types of wellness or employee assistance programs.

The Dept. of Health and Human Services has posted sample business associate agreement provisions.

Noncompliance

HIPAA imposes civil penalties for violations:

• If the violator did not know (and by exercising reasonable diligence, would not have known that violation occurred), each violation ranges from $114 to $57,051 with a cap of $1,711,533 for identical violations during the calendar year.
• If the violation was due to reasonable cause, each violation ranges from $1,141 to $57,051 with a cap of $1,711,533 for identical violations during the calendar year.
• If the violation was due to willful neglect (and timely corrected), each violation ranges from $11,410 to $57,051 with a cap of $1,711,533 for identical violations during the calendar year.
• If the violation was due to willful neglect (and not timely corrected), each violation ranges from $57,051 to $1,711,533 with a cap of $1,711,533 for identical violations during the calendar year.

Additional Resources

Department of Health & Human Services Web Site.

Decision Tool for help in determining who is a covered entity.

A sample business associate contract language is available on the Office for Civil Rights (OCR) website.

Department of Health & Human Services Summary of the HIPAA Privacy Rule.

HIPAA Privacy Rule and Health Information Technology (HIT).

Online Form for Submitting Notice of Breach to HHS.