In two months, the Health Insurance Portability and Accountability Act (HIPAA) e-Security rules take effect for employer-sponsored health plans with less than $5 million in premiums/costs. In brief, the HIPAA e-Security regulations will require health plans that create, receive, store, or transmit protected health information (PHI) in electronic formats to establish safeguards with regard to that data.

Small Employers

In our experience, most employers with fewer than 250 participants in their health plans do not create, receive, store, or transmit e-PHI related to their health plans other than enrollment or disenrollment data. However, in light of the potential penalties for violating the regulations, we recommend that each employer/plan sponsor, regardless of their size, review their health plans and determine their status regarding e-PHI, and either document and take action, or write a memo to the file outlining their process and their results.

What is e-PHI

1.       E-PHI. E-PHI is Protected Health Information that is transmitted by electronic media or maintained in electronic media.

2.       Electronic Media. For purposes of storage, electronic media includes: computer hard drives, external hard drives, removable memory media – compact flash, secure digital memory cards, memory sticks and the like. It also includes magnetic tape or discs (CDs, DVDs or optical disks. For purposes of transmission, media includes internet, intranet, extranet, leased lines, dial-up lines, private or local area networks, etc.

3.       Electronically Created. The data must have an electronic origin (e.g., Excel spread sheets). If it is paper and then faxed, it is not PHI even though it is transmitted electronically. Similarly, voicemails are not e-PHI, nor are scanned documents.

4.       Enrollment and Disenrollment Data. For purposes of the HIPAA Privacy Rules, this data is not subject to the Privacy Rules although it is subject to California and other states’ confidentiality rules. For purposes of the HIPAA Security Rules, electronic enrollment and disenrollment data (e.g., monthly adds and deletes, list billings) are subject to e-Security.

However, the rules allow the employer/plan sponsor to exchange that data with its health plan for enrollment/disenrollment and for purposes of obtaining health insurance quotes, without having to comply with the e-PHI Rules.

Civil Penalties

HHS may assess civil monetary penalties for violations of the e-Security Rules. On February 16, 2006, HHS released its final rule on penalties which opens the door for combined penalties when a single act violates more than one e-Security requirement. The maximum penalty is $25,000 per requirement. In the event of violations, employers/plan sponsors may be looking at significantly large penalties.

Furthermore, a covered entity (e.g., health plan) may be liable for the acts of its agents including its privacy officer. As a result of the Final Rule on penalties, the compliance burden should not be taken lightly.

Action Plan

1.       Assessment. Each employer/plan sponsor must undertake a review of its health plan procedures and practices, and identify any potential use of e-PHI. This will involve Human Resources and the Information Technology Department if it exists, even if it is outsourced. The employer plan sponsor should prepare a written report detailing the assessment and its results. If it concludes that the plan is e-PHI free, the employer/plan sponsor should do nothing more absent a change in circumstances.

2.       E-PHI Found! In the event e-PHI is found, then the employer plan sponsor should determine whether the information is necessary in electronic format. If so, then proceed to implementation.

3.       Implementation. Here are the first five steps to implementation:

a.       Appoint a Security Official. This may be the same person who serves as the Privacy Official or it may be someone with an information technology background.

b.       Amend Plan Documents.

c.       Train Workforce. The Security Official must arrange for the training of members of the workforce who will handle e-PHI.

d.       Amend Business Associates Agreements.

e.       Develop and Adopt Policies and Procedures. Since each plan/plan sponsor has unique administrative and environmental characteristics, there is no sample Handbook of Policies and Procedures. Each entity must undergo its own process and create its own documentation. It must use all standards contained in the Security Rules, whether required or addressable.

 

HIPAA Security Standards

The HIPAA e-Security regulations contain three sets of standards, all of which must be met:

1.       Administrative Safeguards. These include authorizing and restricting employee access to the e-PHI; access codes must be employee specific, for example. It includes training effected staff; having a contingency plan for emergencies, a procedure for handling breaches, etc.

2.       Technical Safeguards. These include limiting login access; monitoring access activity; preventing alteration or destruction of e-PHI, etc.

3.       Physical Safeguards. These include locking doors and file cabinets; securing work stations; controlling movement of hardware and disposal/reuse of media (hard drives, disks, etc.).

Please refer to our original e-Security Legislative Update of April 22, 2005 (2005-8) for a more detailed discussion of these safeguards and e-Security in general. I have attached a copy for your reference.

Other Sources

In the preamble to its e-Security Rules, HHS makes reference to an independent source: the National Institute of Standards and Technology’s publications, for assistance in achieving compliance (http://csrc.nist.gov/). In light of the potential penalties involved, if you have e-PHI, it is important that implementation be thorough. These publications may be very helpful.

 

 

If you have any questions, feel free to contact our office at (415) 461-3912 or visit our website at www.abferisa.com.

 

Attachments

HIPAA Security Rules Overview 2005-8 4-21-05 

Attachment A - Group Health Plan Electronic Security Amendment

Attachment B - Sample Business Associate Agreement re ePHI

Attachment C - Chart re HIPAA Final Security Regulations Safeguards