LEGISLATIVE BRIEFS*
	COBRA Temporary Extension
	Proposition Q
	Children's Health Insurance Program Reauthorization Act of 2009
	The HITECH Rules: Impact on Insurance Brokers as Business Associates
	5500 Electronic Filing Reqirements for 2009 Plan
	2010 DOL Publishes Model ARRA NDAA Notices
	2010 Update on COBRA/ARRA Extension
	2009 Health Savings Accounts / High Deductible Health Plans Limits Released
	The Heroes Earnings  Assistance and Relief Tax (HEART) Act of 2008
	2008 Indexed Figures for Qualified Retirement Plans
*	Legislative Briefs are not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice.

MEMORANDUM
2010-5
(For Brokers Only)

The HITECH Rules:
Impact on Insurance Brokers as Business Associates

February 16, 2010

As of February 17, 2010, insurance brokers and benefits consultants take on additional responsibilities and risks under the privacy and Security Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The purpose of this Memorandum is to discuss, on an informal basis, the issues unique to group health insurance brokers and benefits consultants engaged in the business of advising employers/plan sponsors (plan sponsors) on group health plan matters and what steps to take.

I continue to receive inquiries about the impact on our industry brought on by the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Interim Final Rule published by the Department of Health and Human Services (HHS) on August 24, 2009. For background, please refer to my Legislative Updates 2009-10 (April 29, 2009), 2009-14 (September 22, 2009), and 2009-16 (October 8, 2009).

The Basics

1.       The Commission Agreement. All of you who receive commissions related to the sale and renewal of group health policies and/or health coverage provided through agreements with Health Maintenance Organizations (HMOs) will find HIPAA Business Associate Agreements already incorporated into your commission agreements. The February 17, 2010 Rules (New Rules) will apply regardless of whether the carriers or HMOs involved have amended their commission agreements to reflect the New Rules. The health insurance plan provided to your clients constitutes a Covered Entity. The commission agreement requires that you are not only an agent of the insurer but also a Business Associate of the plan established by the plan sponsor and insured through the group carrier or HMO.

2.       Fully-insured Plans. In most instances, especially in the small group market, the plan neither produces nor distributes individual protected health information. The information is either aggregated or de-identified and, therefore, outside the purview of the HIPAA Privacy Rules.

3.       Claims Problems. Most brokers/consultants occasionally receive calls from the employer or from plan participants seeking help to resolve claims problems. The Privacy Rules will require that the claimant provide specific written authorization giving the broker authority to pursue the claim. As a broker performing these services you are exempt from full-on Privacy compliance since you are dealing with treatment payment, or health care operations, as defined in the Privacy Regulations.

4.       Census Data. In the event you market a client’s group health plan, you most likely will use aggregate (i.e. de-identified) census data (e.g. number of males born in 1943), or occasionally you will have individualized census information (PHI). Under the New Rules, you must either de-identify the PHI or protect that census data through encryption or by destroying it. You also must provide only the minimum necessary information (sex, date of birth) to achieve your purpose. Privacy Regulations treat health plan marketing as a permissible activity without getting participant permission; however, as a Business Associate you must protect the PHI from which you derived your de-identified data by either encrypting it or destroying it, regardless of whether the data is stored electronically or in paper form.

5.       HITECH Rule. HITECH now requires Business Associates, such as yourselves, to protect PHI pursuant to statute, not just by contract, in accordance with a Business Associate Agreement. This change places Business Associates under the same use and disclosure rules that apply to Covered Entities  (please refer to 45 CFR 164.502(e)(2) and 164.504(e)) as well as the potential for being held liable for both civil and criminal penalties for violations as determined by the Office of Civil Rights.

6.       Self-funded Plans. If you provide advice to plan sponsors regarding their self-funded health plans (including health FSAs) based on PHI you must enter into a Business Associate Agreement between the plan and your organization. Please note, your agreement is NOT with the plan sponsor. Even though it is executed by the plan sponsor, the agreement must be between you and the plan itself, where the PHI is generated by the health plan. As we stated above, the HITECH Rules now require Business Associates to meet the requirements of the HIPAA Security Rules to the same degree as a Covered Entity.

7.       The Business Associate Agreement, Generally. Due to the more extensive nature of the new set of obligations for Business Associates, the parties may wish to modify an existing Business Associate Agreement to reflect the specific terms and provisions of your service agreement with the underlying health plan. If you are advising plan sponsors based solely upon a broker of record letter, you risk the possibility of having broad exposure to penalties under the HIPAA rules as modified by HITECH. I urge you to implement a service agreement. If you have a service agreement, you may wish to tailor your Business Associate Agreement to the services you provide which involve the use, receipt, or distribution of protected health information whether it be oral, in writing, or maintained electronically. If you provide additional administrative services such as paying claims, billing and collection, enrollment services, etc., it is critical that you have a separate service agreement with the plan sponsor as well as a Business Associate Agreement with the plan, tailored to your handling of PHI in those roles.

8.       Record Keeping. The HIPAA Privacy Rules require document retention for a period of six years from the date of its creation. As indicated in our current model Business Associate Agreement (10/8/2009) the Business Associate is responsible for the security of all PHI in its possession until it is returned to the Covered Entity or is destroyed. In the event that a client changes brokers or consultants, you may deliver the records to the new broker at the request of the Covered Entity, but only if the broker executes a Business Associate Agreement of its own with that Covered Entity. You may also deliver the PHI and documentation to the Covered Entity itself. If neither of those options is feasible, such as in the event of your client’s bankruptcy, your duty to hold the records continues but not beyond the six years required under the HIPAA Privacy Rules. It would also be important to seek advice of counsel under these circumstances.

9.       Existing and Newly-signed Business Associate Agreements. For self-funded plans, I recommend that you amend the agreements for purposes of HITECH compliance if you have not done so already. If you have amended your existing agreements with self-funded plans using the model we provided with your Legislative Update 2009-16 (10/8/09) you may rely on that agreement, albeit very general with regard to achieving compliance with HITECH. If you have not amended or replaced your existing Business Associate Agreements, you may use the model provided in October or tailor each agreement to meet the kinds of services you are providing involving the use/disclosure of protected health information. I am available to assist you in this process.

Compliance Audit Checklist

The following is an informal audit checklist to help you focus on the kinds of things you must address, regardless of the size of your organization, if you receive or create PHI.

1.       Do you have a Privacy and Security Officer?

2.       Do you limit access to protected health information to individuals who have account responsibility on an account-by-account basis? Does the hard drive have firewalls?

3.       Have you identified high risk activities, such as:

• Transmitting protected health information (PHI) to a third party by facsimile or by unencrypted email?
• Storing PHI on portable hard drives such as laptops, USB thumb drives?
• Using permanent passwords for access to PHI?
• Keeping hard copy PHI in separate folders but in unlocked file storage?
• Permitting access to PHI by unauthorized users with shared passwords?

4.       Have you limited access to PHI to those individuals who have HIPAA training and a “need to know?”

5.       Do you conduct regular HIPAA training sessions?

6.       Have you implemented the following procedures?

• Locking records and allowing access only to those individuals with a need to know due solely because of client assignments?
• Requiring all users with PHI access to log off when they are not at their desks and to put away written materials as needed for security purposes?
• Using privacy screens to minimize incidental disclosure?
• Establishing a user-monitoring system to allow for utilization audits?
• Conducting periodic utilization audits?
• Shredding all paper records including PHI before discarding it?
• Establishing a secure log of the location, use, and user of each piece of PHI provided to you for any reason as a Business Associate?

7.       Additional security items:

• Protect computers from viruses or malicious software.
• Protect PHI that is removed from the office or accessed remotely (e.g. encryption).

8.        Develop written security policies.

9.       Review locks and building security systems.

10.   Analyze the size of your organization and the layout of your facility to determine the optimal location for data storage. If stored on site, assure that the location is locked at all times with access only when necessary to perform your job.

11.   All staff members need unique user IDs (login ID or name). Establish a written policy against sharing login IDs and passwords. Do not store IDs and password electronically. Do not allow the use of unauthorized software or hardware.

12.   Establish written policies governing the transmittal of PHI via email as well as breach notifications rules. See my Legislative Update 2009-14 (9/22/09). Install encryption software.

13.   Require that all iPhones and Blackberrys used by your staff to be locked and stored out of sight when not in use and encrypt any PHI stored on such devices.

14.   Train staff to report any security incident immediately to his/her supervisor or to the Privacy and Security Officer.

15.   Train all staff who will have access to PHI in the rules established for providing notice of a privacy/security breach. 

Security Rules

HITECH requires Business Associates to comply with HIPAA Security Rules originally promulgated five years ago for Covered Entities. Please refer to my Legislative Update 2005-8 or the Appendices in my 2009 Audit and Compliance Guidelines for details on the required processes.

Compliance Deadlines

Since the majority of the HITECH Interim Final Rule takes effect on February 17, 2010, it is critical that you, as a Business Associate, do the following as soon as you can, if you have not done so already:

1.       Conduct a compliance audit and identify the HIPAA and HITECH risks to be addressed.

2.       Make sure that your Business Associate Agreement conforms to the uses and disclosures required under your duties to the plan (e.g. marketing tasks, or as a claims payer). Also, make sure those duties are in writing.

3.       Train all staff with access to PHI regarding your firms written policies and procedures for protecting PHI as well as their duties in the event of a breach or suspected breach.

4.       Establish periodic staff meetings for discussion of privacy and security issues.

5.       Commit all HIPAA and HITECH related policies to writing.

In the same way plan sponsors look for SAS 70 reports to judge the professionalism of third party administrators, plans sponsors may also seek similar assurance from you as a part of its due diligence in broker selection.

Copyright © 2010 Alfred B. Fowler, Attorney at Law.
All Rights Reserved. Reprint with permission only.
This legislative update is published as an information source for our clients and colleagues.
It is general in its nature and is no substitute for legal advice or opinion in any particular case.
mike@abferisa.com

IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any tax advice contained in this communication, unless expressly stated otherwise, was not intended or written to be used, and cannot be used, for the purpose of ( i) avoiding tax-related penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any tax-related matter(s) addressed herein.