Important Updates on HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the subsequent regulations require that health plans name a Privacy Officer and Security Officer to have oversight of the health plan’s HIPAA compliance.

Do you know who has been assigned to these roles for your health plans?

This individual(s) is responsible for developing, documenting and implementing the health plan’s HIPAA compliance. This includes:

1.    Development, documentation and implementation of:

a.      The health plan’s HIPAA policies and procedures. These are not the HIPAA policies and procedures of your TPA or other health plan vendor’s; those policies and procedures typically only address how
the TPA or vendor will comply with HIPAA. Each health plan is required to have their own policies and procedures.

b.      Business Associate Agreements (“BAA”) – ensuring the health plan vendors has a standard BAA in place.

c.      Notice of Privacy Practices (“NOPP”) – ensuring the NOPPs and annual reminders of availability are in place and updated, as necessary.

d.      HIPAA forms, such as HIPAA Authorizations, HIPAA rights requests – ensuring all forms are in place and updated and processed as necessary.

2.      Implementing, updating, and tracking trustee training - Training provides the trustees with an understanding of their responsibilities under HIPAA.

3.      Vendor Management - This includes ensuring that BAAs are in place with all vendors. It also requires ongoing management of incidents/breaches and monitoring of each vendor’s compliance efforts.

The Department of Labor (DOL) has implemented cybersecurity guidance that requires health plans to monitor all their vendors’ cybersecurity compliance and to address any issues. A signed contract is no longer enough to satisfy this requirement.  While most Protected Health Information (“PHI”) for the plan is typically held by a TPA, other vendors also receive PHI. The Privacy Officer and Security Officer must ensure compliance with HIPAA and DOL cybersecurity guidance. At a minimum, the Privacy Officer and Security Officer should ensure that BAAs are in place and that a vendor assessment is performed to determine each vendors’ compliance efforts. In addition, the Privacy Officer and Security Officer should manage all vendor incidents and breaches, ensuring that vendors and the health plan are taking all steps necessary to address the incidents/breaches. This may include assessing the issue, sending notices to affected members, regulatory agencies, and the media, as necessary.

The Privacy Officer and Security Officer must also monitor new regulatory updates to ensure the health plan’s compliance. For example, earlier this year, HIPAA updated its regulations to address restrictions on uses and disclosures of reproductive health care information and  substance, use and disclosure records created by federally funded treatment facilities (Part 2 SUD records). These changes require updates to the health plan’s policies and procedures to reflect these restrictions and how the restrictions will be managed. While vendors may be responsible for handling these requests, the health plan’s policies and procedures need to specify these updates and address who is responsible for coordinating requests.  These changes also require updated training , Notice of Privacy Practices, as well as review of the health plan’s current BAA to determine if updates are needed.

Who should act in this role - the trustees, TPA, fund counsel, fund consultant or a vendor?

The role of Privacy Officer and Security Officer is a fiduciary responsibility.

The trustees must determine who is best equipped to fill these roles and who can accept the full responsibilities of a Privacy Officer and Security Officer on behalf of the health plan.  When HIPAA first required assignment of a Privacy Officer and Security Officer, most clients assumed or elected their TPA to act in these roles.  However, TPAs perform administrative services and do not typically function as fiduciaries. TPAs do not usually assume the full role but will collaborate with the client’s fund professionals to address HIPAA compliance.  As HIPAA has evolved over the years and the complexities of HIPAA are better understood, it has become more important to ensure that the Privacy Officer and Security Officer truly understand the breadth of their role. This not only encompasses oversight of the TPA, but any vendor with access to the health plan’s PHI .

Zenith American Solutions has developed products to assist clients with their HIPAA compliance efforts. Our services vary from simply reviewing the health plan’s HIPAA documents to fully implementing an integrated service to manage the health plan’s overall HIPAA compliance efforts. We have been providing HIPAA services to clients for nearly 10 years and are proud to report that our clients consistently value the service.

If you are looking for assistance with your HIPAA compliance efforts, feel free to discuss your needs with your client services team. We would be honored to assist you with compliance efforts.