Two often overlooked HIPAA administrative requirements

Certain provisions in the HIPAA Privacy Rule do not apply to all covered entities or business associates. Specifically, 45 CFR § 164.530 has eleven standards that apply to persons operating in the healthcare sector. Between December 2000 and August 2009, several changes to this section occurred. They are found at [65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53272, Aug. 14, 2002; 71 FR 8433, Feb. 16, 2006; 74 FR 42769, Aug. 24, 2009].

What is notable is that this particular section contains technical, administrative, and technical safeguards, which differ from those in the HIPAA Security Rule because they apply to all forms of protected health information (PHI) and not just electronic protected health information (ePHI). (emphasis added). What is also notable is that of the three “buckets” of entities (providers, health plans, and health care clearinghouses) that fall under the term covered entity (45 CFR §160.103), The first six (6) items on the list of eleven (11) do not apply to Group Health Plans.

45 CFR § 164.530 requires the following of covered entities and business associates, with the exception of the first six (6) items. Having said that, designating an HIPAA Compliance Officer, who has responsibility of privacy and security is a best practice, especially in light of variations, which may be present in individual state regulations. To be clear, just because Section 164.530 may not apply, the Security Rule must be considered and complied with.

The first six items are as follows:

1. Designating a privacy official, who is responsible for implementing privacy policies and procedures.
2. Implementation of standard training.
3. Implementation of specific technical, administrative, and physical safeguards to “limit incidental uses or disclosures” and avoid any “intentional or unintentional use or disclosure”.
4. Developing a process to document and address complaints regarding a covered entity’s policy and procedures.
5. Appropriate tiered sanctions must be in place for workforce members.
6. Mitigating a harm that is known to the covered entity regarding the use or disclosure of PHI.
7. Refraining from intimidating or retaliatory acts including but not limited to threats, coercion, discrimination, or other retaliatory action against any individual. (emphasis added).
8. Covered entities may not waive an individual’s rights to “treatment, payment, enrollment in a health plan, or eligibility for benefits.”
9. Standard policies and procedures must be implemented to protect PHI and review/revise the policies and procedures on an annual basis or whenever there is a change in the law.
10. Policies and procedures must be maintained in “written or electronic form” for a retention period of “six (6) years from the date of its creation or the date when it was last in effect, whichever is later.” (emphasis added).
11. Group health plans.

(1) A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:

(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and

(ii) The group health plan does not create or receive protected health information, except for:

(A) Summary health information as defined in § 164.504(a); or

(B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.

Like most regulations in healthcare, Section 164.530 does not stand on its own and must be read in conjunction with other regulations. This is where 45 CFR §164.316 comes in because it also relates to policies and procedures – requiring both covered entities and business associates to meet this standard and update. This section should be considered when assessing verbiage in business associate agreements (BAAs). First, the policies and procedures must be in writing. Second, like Section 164.530, a retention period of “six (6) years from the date of its creation or the date when it was last in effect, whichever is later.” (emphasis added).

Why is this material to BAAs? Because, in the event a covered entity takes the position that they want all PHI destroyed or returned immediately, the business associate (or the subcontractor if the BAA is between the business associate and a subcontractor) should state that because of their own obligations, which are set forth in their policies and procedures, they are required to keep the PHI for a period of at least six years. There may also be other circumstances such as a legal hold, state law requirements, and/ or PHI involving minors.

In sum, these are two provisions of HIPAA, which are not often written about but can be very important in retaliation claims, False Claims Act cases, and HIPAA compliance alike.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.