“Building Excellence” in HIPAA Compliance: Not Just for Health Care Providers
Design, construction, and … HIPAA compliance? At first blush, the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) may seem as relevant to the construction community as bathtubs are to giraffes. After all, the HIPAA Rules apply to protected health information
(PHI), and bring to mind doctors and hospitals – which your members are not. But if a building design or construction company has an on-site medical clinic or a self-insured group health plan, the HIPAA Rules may be an issue. With the federal government’s Phase 2 compliance audits underway, and enforcement in high gear, the time is right to determine whether and how you (or, at least, a part of you) should approach the HIPAA Rules.
What are the HIPAA Rules, and do they apply to my business?
The HIPAA Rules are a set of federal regulations consisting of: (1) the Privacy Rule, governing uses and disclosures of PHI by covered entities
(CE) and their business associates
(BA); (2) the Security Rule, which requires CEs and BAs to safeguard electronic PHI
(ePHI); (3) the Breach Notification Rule, under which CEs and BA must provide notice of breaches
of unsecured PHI
; and (4) the Enforcement Rule, describing the federal government’s ability to investigate and impose penalties on CEs and BAs for HIPAA Rule violations.
The HIPAA Rules apply only to PHI – which is information with the following characteristics:
Your Human Resources department may create or receive employees' IIHI for such purposes as accommodating disabilities or administering medical leave – is that PHI? Almost certainly not, because PHI specifically excludes IIHI in employment records held by a business in its role as employer. To be PHI subject to the HIPAA Rules, IIHI must be created or received by a CE acting in that capacity.
It is individually-identifiable health information (IIHI) – it both relates to an individual’s past, present, or future physical or mental health, the provision of health care to an individual, or the past, present or future payment for an individual's health care, and it identifies the individual; and
It is created or received by a CE or BA.
CEs are limited to three groups: (1) health care providers (HCPs); (2) health plans (Plans); and (3) health care clearinghouses.
A health care clearinghouse is a specialized entity that process PHI. Members of the building construction industry are not health care clearinghouses.
A health care provider is an entity that furnishes, bills, or is paid for health care in the normal course of business. While a member of the construction industry is not an HCP, if it offers an on-site health clinic, the clinic itself is likely a CE if it engages in HIPAA electronic "standard transactions."  The clinic’s status as a CE may complicate the employer’s own HIPAA status if the employer owns the clinic and employs the HCPs (as opposed to merely contracting these services). To prevent the entire business from being considered a CE, it must take steps to designate itself a hybrid entity – which essentially means that it walls off its HIPAA covered functions so that the HIPAA Rules apply only to the clinic. If you offer on-site health services, contact your attorney to discuss whether you can and should elect hybrid status (it is a process).
A member of the construction industry is not a health plan, but if it sponsors a group health plan, the Plan itself may be a CE. If the Plan is fully-insured, the employer rarely receives PHI and the plan issuer (which creates and receives Plan PHI) assumes most compliance obligations. However, if the Plan is self-insured and of a certain size, the employer/sponsor performs the Plan's compliance obligations itself or through BAs. This is because health plans exist only on paper, and typically do not have their own employees. Self-funded plans therefore consist of the Plan documents, and members of the employer/sponsor's workforce that need access to PHI to administer benefits. If you offer a group health plan, consult your attorney to determine whether the Plan is a CE, the extent of your HIPAA compliance obligations, and whether you should elect hybrid status. You will also need to be sure appropriate firewalls are in place to separate employees performing Plan functions from those who are not – PHI typically cannot breach that wall.
are also subject to the Security Rule and Enforcement Rule, and to portions of the Privacy and Breach Notification Rules. A BA is an entity that creates, receives, maintains, or transmits PHI in order to perform services for a CE. It is highly unlikely that a member of the design or construction industry would qualify – contact your attorney to discuss any specific factual situations if you feel a customer is asking you to handle PHI.
My business sponsors a group health plan – what does that mean?
An employee group health plan may be fully-insured or self-insured. A fully-insured plan provides benefits exclusively through an insurance contract with a health insurance issuer or HMO. Most fully-insured plans do not provide PHI to the sponsoring employer. A self-insured plan is one in which the employer assumes the insurance risk. These plans typically have greater access to employee PHI.
: If your Plan is both (1) fully-insured, and
(2) creates or receives no PHI except “summary health information” or participation, enrollment, and disenrollment information, issuer or HMO will assume most HIPAA compliance obligations. However, an employer who offers a fully-insured Plan:
Self-Insured Plans, including FSAs
Privacy Rule: (1) Must not intimidate or retaliate against participant/employees who exercise their HIPAA rights; (2) may not require an individual to waive HIPAA rights as a condition of enrollment or eligibility; and (3) must enter appropriate contracts with any BAs.
Security Rule: Must confirm it does not receive or maintain ePHI from the Plan.
Breach Notification Rule: Since the Plan typically does not create or receive PHI, the issuer assumes BNR compliance obligations.
: Since the Plan creates and receives PHI, the employer/ sponsor typically has at least the following HIPAA compliance obligations:
Privacy Rule: Obligations of a fully-insured plan, plus: (1) providing a “notice of privacy practices” to Plan participants; (2) designating a privacy officer and a contact person to receive HIPAA complaints; (3) training workforce members; (4) implementing administrative, technical, and physical safeguards for PHI; (5) creating and enforcing compliant policies/procedures; (6) addressing “incidental disclosures” of PHI; (7) providing a complaint process; (8) sanctioning employees that violate the HIPAA Rules; (9) mitigating harmful effects of unlawful uses and disclosures; and (10) creating and maintaining appropriate documentation.
Security Rule: (1) Creating a “data map” to determine where ePHI resides at the employer/sponsor, and how it flows into, out of, and within the employer/sponsor; (2) designating a security officer; (3) performing a “risk analysis” to identify threats and vulnerabilities to/of the confidentiality, integrity, and availability of ePHI; (4) implementing a “risk management plan” to manage identified risks and vulnerabilities to an acceptable level; and (5) implementing policies/procedures to address the Security Rule’s administrative, technical, and physical safeguards for Plan ePHI.
The employer/sponsor can take a flexible approach to Security Rule compliance, considering the employer’s size, complexity, and capabilities; technical infrastructure, hardware, and software capabilities; cost of anticipated security measures; and the likelihood and seriousness of risks to Plan ePHI.
What about these OCR Phase 2 compliance audits?
Breach Notification Rule: (1) Timely investigating all privacy and security incidents to determine whether there has been a "breach of unsecured PHI" ("breach" and "unsecured PHI" are defined terms within the BNR); and (2) timely notifying individuals, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), and sometimes the media, of breaches of unsecured PHI.
OCR is the federal agency that enforces the HIPAA Rules. OCR is currently conducting "Phase 2" of its compliance program (following the 2011/2012 “Pilot phase”), performing non-complaint based desk audits of 167 CEs for compliance with various aspects of the Privacy, Security, and Breach Notification Rules. OCR will complete the CE desk audits by December 2016, and BA audits – as well as field audits of a smaller number of CEs – will begin in early 2017.
While OCR has stated that the primary purpose of the Phase 2 audits is to help develop best practices, it has not ruled out enforcement against audited entities with significant noncompliance. Further, the OCR audit program is designed to be ongoing, so entities that escape audit in Phase 2 may still be subject to a future compliance audit.
OCR publishes information about breaches involving 500 or more individuals through a portal widely known as the "Wall of Shame." OCR describes 200 breaches involving health plans, with 25 in 2016 alone.
Affected plans come from diverse sectors, including fire protection (Valparaiso Fire Department here in Indiana), entertainment (Sony Picture Entertainment Health and Welfare Benefits Plan), communications (AT&T Group Health Plan; Sorenson Communications/Caption Call Group Health Plan), and retail (SUPERVALU Group Health Plan),
The number of affected individuals ranges from 500 to more than 78,000,000:
Do I have adequate and appropriate insurance coverage?
86 breaches involved unauthorized access or disclosure
47 involved a theft (both theft of paper or films, and theft of ePHI on desktop computers, networks servers, and laptops and other portable media devices)
36 involved a hacking/IT incident
11 involved loss of PHI (either loss of paper, or loss of ePHI on laptops, other portable electronic devices, or network servers)
6 involved improper disposal
Insurance coverage for HIPAA-related incidents is complex and has both first- and third-party aspects. First-party coverage addresses direct losses to the insured from events like business interruption, destruction of data and property, and reputational harm. Third-party coverage is for losses the insured causes to customers and others, such as harm resulting from exposure of PHI during a data breach. A comprehensive review of coverage, including any "cyber-insurance" coverage, is vital to ensuring you do in fact have the coverage you think you do (this is frequently unclear), and protecting your organization against first- and third-party losses.
What can CEs be doing now?
While CEs and BAs are responsible for all applicable aspects of HIPAA Rule compliance, there are important steps your business can prioritize:
If you offer a group health plan and/or on-site health services, consult your attorney to determine the existence and scope of your HIPAA compliance responsibilities.
For businesses with direct compliance obligations:
a. Keep momentum strong. Compliance audits don't stop with Phase 2.
b. Learn from past enforcements. OCR trigger points include:
i. Security Rule risk analyses and risk management plans for ePHI;
ii. Portable electronic device security;
iii. Individuals' right to access their own PHI; and
iv. Proper BA relationships
c. Ensure buy-in. Engage your c-suite, and build a culture of compliance among the workforce.
d. Train your employees. Training is an issue in many enforcement actions.
e. Learn from your peers. Look for opportunities to connect and share best HIPAA compliance practices.
While the building design and construction industry does not strongly associate itself with HIPAA Rule compliance, this may in fact be an issue for your business. With Phase 2 audits underway, and OCR enforcement robust, now is the time to assess your obligations and strengthen your privacy and security practices.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
Standard transactions include health care claims or equivalent encounter information, health plan eligibility, referral certification and authorization, health care claim status, health plan enrollment and disenrollment, health care payment and remittance advice, health plan premium payments, and benefits coordination.