NLRG HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES

Transcription

1 NLRG PARTNERING WITH YOU ON TRENDS AND BEST PRACTICES TO SUPPORT YOUR HUMAN RESOURCES INITIATIVES HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE PERFORMANCE MANAGEMENT EMPLOYER GUIDE PAGE 1

2 HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE TABLE OF CONTENTS How Does HIPAA Privacy Fit Within the Scope of Administrative Simplification? What Benefits are Subject to the HIPAA Privacy Rules? 2 Which Entities are Subject to the HIPAA Privacy Rules? 3 Health Plans Must Comply -- What is a Plan? 4 Who Is Responsible for HIPAA Compliance? 5 Brief Overview of HIPAA Privacy Rules 5 What Are Permissible Uses of Protected Health Information? 11 Red Flags: What Plan Designs Negate the Use of the Shortcut Route? 15 Steps to Compliance 16 1 What are the Penalties for Not Complying with the HIPAA Privacy Rules? APPENDIX 17 Glossary of Abbreviations used within this Employer Guide 19 HIPAA Lite Shortcut Implementation Guide 20 SUPPORTING EMPLOYER TOOLS Sample Draft Letter Requesting Confirmation of Fully-Insured Status Designation of Hybrid Entity Status and Health Care Component Letter Requesting Compliance Shortcut Assistance Authorization to Discuss Insurance Claims Authorization to Use or Disclose Health Information Summary of Material Modifications Policies & Procedures for Plan Administration RELATED EMPLOYER GUIDES AND TOOLS ERISA Reporting and Disclosure Health and Welfare Plans HIPAA Privacy Long Route HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE

3 SPECIAL NOTE: The Privacy Rules were written to apply to a broad array of entities, not just health plans. Many of these entities have operations that are vastly different from typical employersponsored health plans operations. Accordingly, the Privacy Rules are, in many cases, difficult to apply to employer-sponsored health plans, and many questions under these rules cannot be answered with certainty. In addition, HIPAA imposes certain Security requirements on covered entities. This HIPAA Privacy Shortcut Route Employer Guide is not meant to provide full compliance with the HIPAA Security requirements. Covered entities must analyze many issues in order to fully comply with HIPAA Security, and only a basic mention of HIPAA Security concepts and terms is included within the HIPAA Lite Shortcut Implementation Guide (which is included within the Appendix at the end of this Employer Guide). For full HIPAA Security compliance, plan sponsors should seek out a service provider to work directly with the plan sponsor s particular plan design. This service provider should assure HIPAA Security compliance and perform the necessary Security risk analysis. This Employer Guide sets out our best understanding of how to apply these rules to health plans sponsored by a single employer. Some conclusions will change as health plans gain experience under these rules, industry practices become adapted to the rules, and additional guidance becomes available. Readers should be aware that, on many points, other reasonable interpretations of the Privacy Rules may be available that are not discussed in this Employer Guide. August 2015 HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE

4 HOW DOES HIPAA PRIVACY FIT WITHIN THE SCOPE OF ADMINISTRATIVE SIMPLIFICATION? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to the health plans employers maintain for their employees. Most employers are familiar with the portability provisions of HIPAA, which include limitations on pre-existing condition exclusions, requirements for special enrollment opportunities and prohibitions against discrimination based on health status. However, aside from the name HIPAA, there is almost no relationship between the HIPAA portability rules and the HIPAA privacy rules, and they should be considered to be two entirely separate topics. The HIPAA Privacy rules guard the collection, dissemination, review, and use of health information so that protected health information is not used in a discriminatory manner and so that health information is more uniformly and carefully handled. ADMINISTRATIVE SIMPLIFICATION LEGISLATION The HIPAA privacy rules are part of HIPAA administrative simplification, which encompasses four sets of rules: Electronic health transaction standards ( EDI Rules ) (not discussed within this Employer Guide). Unique identifier rules for providers, health plans, employers and other participants in the health care system ( Identifier Rules ) (not discussed within this Employer Guide). Security and electronic signature standards ( Security Rules ) (only briefly discussed within this Employer Guide). Standards for privacy of individually identifiable health information ( Privacy Rules ). The EDI Rules and the Identifier Rules are intended to standardize health care transactions and create uniform identifiers for employers, health plans, providers and individuals, and, by doing so, make health care transactions more efficient and less expensive. Because standardized electronic data is vulnerable to unauthorized access, the Privacy Rules and Security Rules require implementation of various protections. Congress generally did not craft the actual HIPAA administration simplification standards. It required HHS to create them within some broad guidelines. The HIPAA legislation also stipulates that HHS administrative simplification rules must allow a two-year compliance period after publication in final form. Therefore, the administrative simplification standards generally could not become effective until at least two years after HHS issued final regulations implementing them. HHS finalized some of the administrative simplification rules in 2000, and the initial compliance deadlines for those rules were in 2002 and Because compliance with the EDI Rules, Identifier Rules and Security Rules is primarily a systems issue and most employers will rely on outside vendors to implement those standards, this Employer Guide does not address compliance with those rules. In addition to employer-sponsored health plans, the Privacy Rules apply to health care providers and clearinghouses for health care transactions, as well as to health plans that are not employer-sponsored. In this Employer Guide, however, we focus only on the responsibilities of employer-sponsored health plans under the Privacy Rules, and in particular the obligations of single-employer plans (as the rules operate somewhat differently for multiple-employer plans). HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 1

5 WHAT BENEFITS ARE SUBJECT TO THE HIPAA PRIVACY RULES? Virtually all employer health plans are subject to the HIPAA Privacy rules. The only health plans that are exempt from HIPAA administration simplification rules are plans with fewer than fifty participants that have no outside administrator. ERISA plans that provide exclusively non-health benefits, like accident coverage, disability income coverage, life insurance coverage, and liability coverage, are not subject to the Privacy Rules. Moreover, these benefits are not subject to the Privacy Rules even if they are included in an ERISA plan along with health benefits. The plan does not have to comply with the Privacy Rules with respect to the excluded benefits (although it will have to comply with respect to the health benefits). Applicability of HIPAA Privacy rules to the following: Subject to HIPAA Privacy Government-sponsored health plans Church-sponsored health plans Small health plans of small employers Self-insured health plans Health Reimbursement Arrangement (Code Section 105 medical reimbursement) Health FSA Fully-insured health plans HMO PPO EPO Traditional Indemnity Open Access HMO POS Minimum Premium Dental benefits Indemnity Dental DMO Vision benefits Prescription drug benefits Executive Physical Program Employee Assistance Plan Retiree Medical Voluntary medical benefits see below to determine which entity is responsible for HIPAA Privacy compliance Wellness program Long-term Care Not Subject to HIPAA Privacy Life Insurance Accidental Death & Dismemberment Insurance Adoption Assistance Disability income coverage On-site medical clinics (not deemed to be a health plan, but clinics may be covered under the Privacy Rules as health care providers this discussion is beyond the scope of this Employer Guide). Medical leave programs Automobile Liability coverage Workers compensation Credit-only insurance General Liability coverage Legal services Dependent FSA Adoption Assistance Education Assistance Section 125 (cafeteria plan) HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 2

6 VOLUNTARY HEALTH BENEFITS While voluntary health benefits are subject to the Privacy Rules, an employer might not be ultimately responsible for such benefits. If an employer offers an employee-pay-all voluntary insurance program, but the employer s involvement with the voluntary benefit meets the following conditions (and thus, the benefit is deemed to be maintained by an insurance company), then HIPAA Privacy compliance will not be the employer s responsibility. The analysis to determine which entity is charged with HIPAA Privacy compliance is the same as the analysis to determine whether or not a benefit option is employer-sponsored or voluntary (and hence not subject to ERISA). The following requirements must be satisfied in order for the Privacy Rule compliance to become the duty of the insurer: The program must be offered by the insurance company on a completely voluntary basis; The employer s involvement with the benefits must be limited to letting insurance representatives publicize the program and collecting premiums through payroll deductions; and The employer must not do any of the following: Make any contributions towards the benefits Receive any consideration in the form of cash or otherwise in connection with the program Endorse the program in any way Note on Endorsement : Many programs fail to qualify because the employer directly or indirectly endorses the program. Several situations have been found to involve employer endorsement that results in the employer having responsibility for the program. The group insurance contract providing coverage under the program is issued in the employer s name The employer allows employees to pay for their coverage under the program through a Section 125 pretax premium plan The employer chooses the insurance company and the coverage (e.g., selecting eligibility criteria, requesting non-standard provisions, or requiring options the insurer usually would not offer) The employer negotiates with the insurer for rates or coverage The employer assists employees in completing their claim forms The employer sends premium notices, and collects premiums from, employees as directed by the insurer, and transmits premiums to the insurer that were paid other than through payroll deduction The employer sends descriptive literature under its own name The employer becomes involved in the discretionary administration of the arrangement If a plan does not clearly meet the requirements to qualify as a voluntary plan, the employer should treat it as a sponsored plan for which the employer has compliance responsibility under the Privacy Rules. WHICH ENTITIES ARE SUBJECT TO THE HIPAA PRIVACY RULES? The Privacy Rules apply to virtually all employer-sponsored health plans (even church plans, government-sponsored plans, and small plans). Even though health plans are nominally the parties subject to these rules, as a practical matter, employers will be responsible to ensure their health plans compliance with the Privacy Rules. While the health plans that employers maintain are subject to the Privacy Rules, employers themselves are not subject to these rules (unless they qualify as health care providers or clearinghouses, or are deemed to be health plans independent of their employer-sponsored benefit plans). Because employer-sponsored health plans generally do not have employees or assets, they cannot do anything unless the employer or a third party acts on their behalf. Accordingly, applicable law assigns responsibility for the plan s actions to various parties involved with the plan. For example, ERISA assigns responsibility for assuring proper HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 3

7 plan operations and compliance with applicable laws to the plan s fiduciaries. In most cases, the employer is a plan fiduciary, making the employer responsible, at least in part, for the plan s compliance with the Privacy Rules. Third parties providing services to employer-sponsored plans, like third-party administrators (TPAs), are not directly subject to the Privacy Rules because of those activities, but may incur penalties for certain violations of the Privacy Rules. Insurers, HMOs, and certain other health care plans are directly subject to the Privacy Rules, but only to the extent that they insure benefits provided under a plan. That is, if an insurer only provides administrative services to a plan but does not provide insurance, it will not be directly subject to the Privacy Rules with respect to that plan, but may incur penalties for certain violations of the Privacy Rules. It is important to note that the employer s responsibilities with respect to its health plan, and many of the health plan s responsibilities under the Privacy Rules, continue to apply even if all plan benefits under the health plan are provided through insurance. This is true even if the health insurer providing the insurance under the plan is subject to those rules itself (although there are some significant compliance shortcuts under the Privacy Rules for fully-insured plans see the HIPAA Privacy Long Route Employer Guide). Nonetheless, a fully-insured employer-sponsored health plan, and its sponsoring employer generally retain overall responsibility for compliance with the Privacy Rules. Plans that are not fully insured do not have any compliance shortcuts under the Privacy Rules. In practice, many of the compliance functions may be delegated to third parties. However, even when an employer or plan delegates a compliance function to a third party, like a TPA, the plan and the employer generally retain responsibility for compliance with the Privacy Rules. HEALTH PLANS MUST COMPLY WHAT IS A PLAN? The benefit options above are subject to the HIPAA Privacy Rules, but employers need to identify Plans that must comply with the Privacy Rules. The Privacy Rules apply separately to each plan an employer maintains, so it is important to identify whether benefits are included within a single plan or whether benefits are offered under multiple plans. EMPLOYERS SUBJECT TO ERISA For employers that are subject to ERISA, a health plan for purposes of the Privacy Rules is an ERISA plan that provides health benefits. For plans that file a Form 5500, the plan is defined by the most recent Form 5500 filed for that plan, or any more recent amendments to that plan. If an employer has combined several welfare benefits into a single plan so that it files only one Form 5500 for those welfare benefits, then that combined plan is the health plan for purposes of the Privacy Rules. These combined plans may provide non-health benefits in addition to health benefits, but will still be health plans for purposes of the Privacy Rules. EMPLOYERS NOT SUBJECT TO ERISA For employers that are not subject to ERISA, or that sponsor health benefits programs with respect to which no Form 5500 is filed, the boundaries of a particular plan may not be well defined. In that case, the available documents regarding the health benefits (for example insurance policies, benefits booklets, and enrollment forms) will determine which health benefits are associated with which plan. Absent other documentation, each health benefits program generally should be treated as a separate plan for purposes of the Privacy Rules. For example, an employer that offers an HMO and a health flexible spending account should treat them as two separate plans, absent documentation showing that they have been combined into a single plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 4

8 WHO IS RESPONSIBLE FOR HIPAA COMPLIANCE? The Privacy Rules apply to virtually all employer-sponsored health plans. Even though health plans are nominally the parties subject to these rules, as a practical matter, employers will be responsible to ensure their health plans compliance with the Privacy Rules. Third parties providing services to employer-sponsored plans, like third-party administrators (TPAs), are not directly subject to the Privacy Rules because of those activities. Insurers, HMOs and certain other health care plans are directly subject to the Privacy Rules, but only to the extent that they insure benefits provided under a plan. That is, if an insurer only provides administrative services to a plan but does not provide insurance, it will not be directly subject to the Privacy Rules with respect to that plan. The employer s responsibilities with respect to its health plan, and many of the health plan s responsibilities under the Privacy Rules, continue to apply even if all plan benefits under the health plan are provided through insurance. This is true even if the health insurer providing the insurance under the plan is subject to those rules itself. This Employer Guide describes the significant compliance shortcuts under the Privacy Rules for fully-insured plans. Nonetheless, a fully-insured employer-sponsored health plan and its sponsoring employer generally retain overall responsibility for compliance with the Privacy Rules. BRIEF OVERVIEW OF HIPAA PRIVACY RULES The compliance burden under the Privacy Rules generally falls on the employer maintaining an employer-sponsored health plan that is subject to the rules. However, under certain circumstances, some of the compliance burden may shift to insurance carriers. The shift in compliance burden requires that the plan not create, maintain, or receive protected health information. Therefore, it will be necessary for the plan to obtain assurances for insurance carriers that the carriers will not release protected health information to the plan, even if the protected health information is requested. The following material describes the general HIPAA Privacy requirements; however, much of the following material will not apply to a HIPAA-subject benefit qualifying for the HIPAA compliance shortcut. Please see the Steps to Compliance section of this Employer Guide for more specific information about the compliance process for plans able to use the HIPAA compliance shortcut.. The Privacy Rules impose conditions, limitations, and documentation requirements on virtually every use and disclosure a health plan might make of an individual s health information. For example, a health plan cannot disclose protected health information to the employer who sponsors the plan, except in limited circumstances. Protected health information is defined very broadly and includes even enrollment and claims payment information, and health plans may use or disclose protected health information without an individual s authorization or consent in very limited circumstances which are referred to as Treatment, Payment, and Health Care Operations. These circumstances which permit use and disclosure of PHI are commonly referred to as TPO events. For example, uses and disclosures for purposes of deciding whether benefits are payable, determining eligibility, or medical necessity, obtaining payments from stop-loss insurance carriers, and auditing claims payments for accuracy are permissible uses and disclosures for which a plan does not need to obtain any consent or authorization from an individual. Any use or disclosure of protected health information for any purpose that the Privacy Rules do not identify as a permitted purpose requires an individual s specific authorization. Authorizations must meet specific criteria in order to satisfy the Privacy Rules, including identifying the specific information to be used or disclosed pursuant to the authorization. The Privacy Rules do not permit the acquisition of a blanket authorization or waiver from individuals enrolling in the plan. Such a blanket authorization will not comply with the HIPAA Privacy Rules. Even when a use or disclosure is for a permissible purpose, the Privacy Rules impose a minimum necessary limit on the amount of information that a health plan can use, disclose or request. In addition, in order to be able to disclose an individual s protected health information to the individual himself or to a third party, the plan is required to verify the identity of the person to whom it is disclosing the information, and, in the case of a third party, to verify the authority of that individual to receive the individual s information. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 5

9 Health plans that engage third parties to provide administrative and other services are allowed to disclose protected health information to those third parties only if the health plan first obtains a legally enforceable contract (a Business Associate Agreement) in which the third party agrees to protect the privacy of enrollees information. Similarly, an employer-sponsored health plan cannot disclose to the sponsoring employer, and cannot allow the employer to use or disclose, protected health information unless the plan first is amended to include plan provisions imposing a variety of privacy obligations on the employer and the employer certifies its agreement to those provisions. Health plans are required to provide participants with a Notice of Privacy Practices, and to restrict their uses and disclosures of protected health information in accordance with the terms of the Notice of Privacy Practices. However, generally, insurers must distribute the Notice of Privacy Practices on behalf of the covered entity. The Notice of Privacy Practices must reflect the health plan s policies and procedures regarding the handling of protected health information and implementation of the Privacy Rules. The plan s policies and procedures are required to provide a detailed description of the plan s compliance measures. Health plans are required to afford individuals a variety of rights with respect to their protected health information, and the Privacy Rules impose various administrative requirements for providing those individual rights. Individual rights include the right to have access to protected health information, the right to request amendments to that protected health information, and the right to receive an accounting of disclosures of protected health information, among others. In addition to actually limiting the uses and disclosures of protected health information, the Privacy Rules require health plans to set up reasonable physical, technical, and administrative safeguards to prevent inappropriate uses and disclosures of protected health information. Plans also are required to maintain a complaint process with respect to their privacy practices, to adopt extensive policies and procedures, and to appoint a privacy official to oversee the plan s implementation of the Privacy Rules. The privacy official s duties include training employees on the plan s privacy policies and procedures and ensuring that those policies and procedures are enforced by applying sanctions to employees who fail to follow them. Finally, the Privacy Rules require that health plans document all of the various steps that they take in complying with the Privacy Rules TWO ROUTES TO HIPAA PRIVACY COMPLIANCE Long Route to Compliance While employers can delegate performance of various requirements to third parties, they still will have the responsibility to make sure that any delegated requirements are performed. Any employer plan that cannot use the compliance shortcut, or with respect to which the employer needs information that is not available to an employer from a plan using the compliance shortcut, must comply more fully with the Privacy Rules. Compliance efforts will require significant documentation, changes in plan processes, polices and procedures. Sample materials for Long Route HIPAA compliance can be found within the HIPAA Privacy Long Route Employer Guide. Shortcut Route to Compliance Fully-insured health plans can use a compliance shortcut that will greatly reduce their compliance burdens -- but only if the employer severely limits its involvement in plan administration. If it is unclear whether a particular benefit is fully insured, the plan sponsor may send a template letter to carriers in order to clarify A Sample Draft Letter to Insurance Carrier or HMO Requesting Confirmation of Fully- Insured Status is available within the the insured nature of the benefits. The Sample Draft Letter to HIPAA Lite Shortcut Implementation Insurance Carrier or HMO Requesting Confirmation of Fully Guide portion of the Appendix Insured Status can be used to request insured plan clarification from the vendor. Plans that qualify for the compliance shortcut eliminate many of the compliance obligations under the Privacy Rules. Plans that follow the shortcut route to HIPAA compliance must meet the following two requirements: HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 6

10 All health benefits under the plan are provided only through an insurance contract or a similar contract with a health maintenance organization (HMO) (that is, the benefits are fully insured ); and Neither the plan nor the sponsoring employer creates, maintains, or receives protected health information (PHI). TYPES OF INFORMATION POSSIBLY SUBJECT TO HIPAA PRIVACY RULES The Privacy Rules recognize several different classes of information and assign differing responsibilities with respect to those classes. Personal Health Information -- Any information related to an individual s health, health care, or payment for health care that is not de-identified information (defined below), is protected health information. Protected Health Information is information that Relates to: The past, present, or future physical or mental health or condition of an individual The provision of health care to an individual The past, present, or future payment for the provision of health care to an individual Is created or received by a health care provider, health plan, employer, or health care clearinghouse Identifies the individual (information is deemed to do this if there is a reasonable basis to believe that the information can be used to identify the individual) De-identified Information -- The Privacy Rules provide two means of de-identifying health information. The first method requires the entity disclosing the health information to strip specific identifiers out of the information. The second method does not require any specific identifiers to be removed, but does require that an expert determine and certify that the information is de-identified. Any information that is de-identified is not protected health information and is not subject to the Privacy Rules. Under the first method of de-identification, the identifiers that must be removed are the following items, each with respect to the individual that is the subject of the information, and the relatives, employers, and household members of that individual. Names. All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geo codes, except for the initial three digits of a zip code if: According to the current publicly available data from the Bureau of the Census, the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people. All other three-digit zip code designations are shown as 000. All elements of dates (except year) that are directly related to an individual, including birth date, admission date, discharge date, and date of death, and, in the case of individuals over age 89, all date information that would reveal the individual s age more specifically than 90 or older. Telephone numbers. Fax numbers. Electronic mail addresses. Social Security numbers. Medical record numbers. Health plan beneficiary numbers. Account numbers. Certificate/license numbers. Vehicle identifier and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web universal resource locaters (URLs). Internet Protocol (IP) address numbers. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 7

11 Biometric identifiers, including finger and voice prints. Full-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code (except that a unique code, unrelated to identifying information about an individual, can be assigned to identify information as relating to a single individual, in which case, the entity creating the de-identified information cannot disclose the code for re-identifying the information at all, and cannot use that code or any related mechanism except to re-identify the information). Even with all of these designated identifiers removed, information still may not be de-identified for purposes of the Privacy Rules. The entity preparing the de-identified information cannot release the information if it knows that the information could be used, alone or in combination with other information, to identify an individual who is a subject of the information. As a practical matter, this may preclude smaller employers from receiving de-identified information because the disclosing entity will know that the employer can identify the information to individuals in its workforce. Other Types of Information -- The following three classes of health information are less restricted under the Privacy Rules than other information. By restricting its use of health information to these classes of information to the greatest extent possible, the employer may be able to qualify for the compliance shortcut with respect to its fullyinsured plans. In any event, the employer can minimize compliance burdens under the Privacy Rules by using these types of information to the extent possible, even if it cannot use the compliance shortcut with respect to one or more of its plans. In addition, because health plans are required to use only the minimum information reasonably necessary for most purposes, the employer s health plan may be restricted to using only these types of information whenever it will suffice for the employer s purposes. Summary Health Information -- Employers can receive summary health information with respect to their plan without triggering the full requirements of the Privacy Rules. Summary health information is identical to de-identified information except that it can disclose each individual s five-digit zip code. With even that very limited identifying information, summary health information is considered to be protected health information. Because it has very limited identifying information, however, it is subject to different restrictions than other protected health information. Employers can receive summary health information only for purposes of obtaining premium bids under their health plans, and for purposes of modifying, amending or terminating their health plans. Enrollment Information -- Another set of information that an employer can receive from its health plan or an insurer under its health plan without triggering full compliance with the Privacy Rules is enrollment information. Specifically, the plan sponsor can communicate with the plan, both sending and receiving information regarding individuals participation in the plan and whether they are enrolled with a particular insurer providing coverage under the plan. This information is technically considered to be protected health information, but employers that limit themselves to this information and summary health information will not be required to engage in the steps necessary for full compliance with the Privacy Rules. Employment Records -- Information in an employer s employment records is not considered protected health information for purposes of the employer s health plans compliance with the Privacy Rules. Information that the employer receives in its capacity as an employer, such as a return-to-work evaluation, is protected health information in other contexts but not when it is received by the employer for employment purposes and retained in the employer s files related to employment matters (as opposed to health plan matters). In that case, such information is not considered to be protected health information for which the employer s health plan or the employer has compliance responsibilities under the Privacy Rules. PARTIES WITH INTERESTS UNDER THE PRIVACY RULES When planning a compliance strategy under the Privacy Rules, health plans need to identify who is protected by the Privacy Rules, as well as who has obligations under the Privacy Rules. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 8

12 Individuals -- The Privacy Rules protect individuals protected health information insofar as it is being used, disclosed, or requested by an entity covered under the Privacy Rules. The definition of individual makes clear that each employee and each dependent covered under a health plan is considered to be an individual with independent privacy protections. This means that no individual can act for another in connection with the Privacy Rules except as expressly provided in the Privacy Rules. In addition, a health plan cannot disclose information about an individual to anyone other than that individual except as provided in the Privacy Rules. Plans are required, however, to treat an individual s personal representative as if the personal representative were the individual himself. Prior to doing so, however, the plan must verify the personal representative s identity and verify that the personal representative has authority recognized under the Privacy Rules to act on behalf of the individual. The Privacy Rules recognize the following types of personal representatives: A parent acting for his or her minor child. A guardian acting for an incapacitated adult or emancipated minor. A personal representative acting on behalf of a decedent. It is important to note that an individual s protections under the Privacy Rules continue even after death, until the health plan no longer retains any of the individual s protected health information. The personal representatives recognized under the Privacy Rules do not include an employee acting on behalf of a spouse or an adult child, even if enrolled in a health plan as the employee s dependent. While there are a number of arguments in favor of health plans being able to share protected health information with family members, none of these is recognized in the Privacy Rules themselves. Accordingly, health plans should arrange their systems so that they communicate with individuals enrolled in the plan directly rather than addressing communications containing a spouse s or adult child s protected health information to the employee. According to HHS representatives, an exception to this rule applies with respect to explanation of benefit statements. Those representatives have stated that plans can continue to send these statements to the employee, even if they contain a spouse s or adult child s information. It appears that most health plans are relying on these statements, continuing to send these statements to the employee. Except for these statements, employers and their plans should protect themselves and only communicate protected health information with the individual that is the subject of the information or his personal representative. This will be a change for most plans and will likely be a source of contention. Organizational Issues -- The way in which a health plan is organized and funded affects the various parties roles and responsibilities with respect to the health plan s compliance with the Privacy Rules. Hybrid Entities -- A health plan is a hybrid entity if it is a single plan that includes both health and non-health benefits. If a hybrid entity designates itself as such and designates which portions of the plan are its healthcare components (that is, those parts providing health benefits) then the non-health components of the plan are not required to comply A sample Designation of Hybrid Entity with the Privacy Rules. It is arguable that a health plan would get Status and Health Care Component is this hybrid entity treatment even without the being designated as available within the HIPAA Lite Shortcut a hybrid entity because of the way health plans are defined under Implementation Guide portion of the the Privacy Rules. As a matter of compliance planning, however, Appendix employers should designate their plans that include non-health benefits as hybrid entities to ensure that the non-health portions of those plans are not affected by the Privacy Rules. If an employer has a hybrid plan and is not using the compliance shortcut, it must implement firewalls between the health and non-health portions of that plan. Firewalls are physical, technical, and administrative safeguards that prevent or prohibit disclosure of protected health information. In the case of a hybrid plan providing both health benefits and life insurance benefits, for instance, firewalls might consist of policies and procedures prohibiting any employee that deals with the health plan from using protected health information from the health plan in connection with the life insurance benefits. A physical safeguard might consist of maintaining health benefits records in a locked HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 9

13 file cabinet to which only those employees who work with health benefits have a key (and those who work only with life insurance benefits do not). A technological safeguard would be a protection in a computerized system that would prevent access to protected health information from a health plan by anyone other than employees assigned to work with the health benefits. Plan Sponsors -- As noted previously, the employer that sponsors a health plan is not itself subject to the Privacy Rules on the basis of its activities in connection with the health plan. In addition, the employer is considered to be a separate legal entity from its health plan, so that the health plan generally is not entitled to disclose protected health information to the employer in connection with plan administration. The Privacy Rules prohibit plans from disclosing any protected health information to the sponsoring employer (other than summary health information or enrollment information, as described above) unless the plan document includes certain provisions regarding the plan sponsor s handling of protected health information, and the plan sponsor has certified that: The plan has been amended. The plan sponsor will abide by the plan amendments and certain other commitments. In the event that the plan document is amended and the certification is provided as required, the plan (and an insurer or HMO providing benefits under the plan) can disclose to the employer, solely for the employer s plan administration purposes or as required by law, protected health information in addition to summary health information and enrollment information. Without these documents in place, these disclosures could not occur unless individuals authorized them according to the Privacy Rules requirements for authorizations. These disclosures are subject to the Privacy Rules minimum necessary, verification and other limiting requirements. This means that the plan cannot disclose any protected health information to the employer that is not reasonably necessary to accomplish the plan administration functions that the employer performs on behalf of the plan. The commitments that the employer must make with respect to receipt of protected health information from the plan include, among others, that the employer will identify all of its employees, by name, title or classification, who will have access to the protected health information received from the plan (the designated employees ). The plan sponsor must commit that it will not allow any other employees to have access to that information. In addition, the plan sponsor must commit to setting up firewalls to protect against access by employees other than the designated employees, and access by the designated employees for purposes other than performing the plan sponsor s plan administration functions. To receive protected health information from the plan, an employer must commit that it will not use that protected health information for any employment-related decisions or actions or for any other benefit or benefit plan that the employer maintains. Because of this prohibition, it is particularly important for employers to ensure that protected health information obtained in connection with employment-related matters, such as medical leaves, remains separate from plan protected health information. So long as it remains part of the employer s employment files and is not used in connection with administering the plan, it is not considered protected health information. If, however, an employer combines its plan files and employment files, or uses information in either for the benefit of the other, this employment information could lose its exemption from the Privacy Rules and become part of the protected health information for which the employer s health plan has compliance responsibilities. Insurers -- An insurer or HMO providing coverage under a plan is subject to the Privacy Rules with respect to its own operations on behalf of that plan. That is, unlike the plan sponsor, the insurer is directly required to comply with the Privacy Rules, even if the plan does not impose those requirements on the insurer via contract. The insurer s responsibility is, however, limited to its own operations. It is not responsible for the group health plan s compliance solely because it provides coverage under the plan. Just as the employer is considered to be a separate entity from the group health plan, the insurer is also considered to be a separate legal entity from the health plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 10

14 Even though an insurer is considered to be a separate legal entity from the group health plan, it is treated as part of an organized health care arrangement with respect to the health plan. This means that the insurer and the health plan itself (but not the employer) can exchange certain protected health information as if they were a single entity and can use a single notice of privacy practices. These exchanges, like all other exchanges of protected health information within an entity, are limited to those made for purposes recognized under the Privacy Rules and are subject to the minimum necessary requirements and other restrictions on disclosure. A health plan is not required to enter into a business associate contract, as described in the next section, with an insurer that provides no services other than insurance coverage under the plan. WHAT ARE PERMISSIBLE USES OF PROTECTED HEALTH INFORMATION? The HIPAA Shortcut to compliance is based upon the premise that the Plan does not see, use, or receive protected health information. However, in operation of the benefits, the Plan will have enrollment information, certain claim payment information, and an employee may ask the Plan to participate in a claim appeal. Consequently, the Plan may maintain certain protected health information for Treatment, Payment, or Health Care Operations purposes. TREATMENT Treatment is defined, in part, as provision, coordination, or management of health care and related services by a health care provider, including coordination or management of health care by the health care provider with a third party. Health plans are not health care providers for purposes of the Privacy Rules, so health plans cannot directly perform treatment functions. Health plans may, however, disclose protected health information to any health care provider for that provider s treatment activities. For example, a health plan would be allowed to respond to a physician s request for information regarding previous treatments an individual had received, if needed to assess a current course of treatment. As a practical matter, these disclosures of protected health information will be infrequent. PAYMENT The payment functions for which health plans can use or disclose an individual s protected health information without first obtaining his authorization include all activities to obtain premium payments or to determine or fulfill the plan s responsibility for coverage of, and provision of health benefits with respect to, an individual. Payment functions include: Determining individuals eligibility for coverage, including determination of rights pursuant to COBRA. Obtaining reimbursement for benefits paid during a period of ineligibility. Determining whether individuals have coverage in effect under the plan, and in what capacity. Determining whether particular expenses are covered under the plan with respect to individuals (including coordination of benefits determinations, cost sharing determinations, subrogation determinations, medical necessity determinations, and all other determinations to reach a decision on whether benefits are payable under the terms of the plan for particular health benefit claims). Making claims payments based on those determinations. Coordination of benefits, including, without limitation, collecting amounts from another plan covering an individual, and determining the order of benefits payment and the extent to which benefits have been paid from another plan. Activities related to rights of reimbursement the plan may have with respect to previously-paid benefits and subrogation activities, including asserting liens against actual or potential recoveries, exercising rights of reimbursement with respect to third parties, and making demand for repayment of benefits. Determining cost-sharing amounts applicable to particular claims under the terms of the plan, including determining whether an individual has reached applicable plan limits, satisfied deductibles or out-of-pocket limits, or is required to make a copayment or satisfy coinsurance with respect to a particular claim. Adjudicating benefit claims under the plan (including appeals and other payment disputes). Claims management and related health care data processing, including auditing payments, investigating and resolving payment disputes, and responding to enrollees inquiries about payments. Billing and collection activities and related data processing. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 11

15 Obtaining payment under a contract for reinsurance (including stop-loss and excess loss insurance), including notification to issuers of diagnoses or claims that trigger reporting requirements under such policies. Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges. Determining required employee contributions. Risk adjusting amounts due for coverage based on enrollees health status, claims history, and demographic characteristics, to the extent permissible under applicable law. Utilization review activities, including precertification and preauthorization of services, and concurrent and retrospective review of services. Disclosure to consumer reporting agencies relating to collection of premiums or reimbursement, limited to any or all of the following: Name and address. Date of birth. Social Security number. Payment history. Account number. Name and address of the plan. HEALTH CARE OPERATIONS The health care operations functions for which health plans can use or disclose an individual s protected health information without first obtaining the individual s authorization are specified in the Privacy Rules. Those activities are permissible to the extent that they relate to a health plan s providing or paying for health benefits. The listed operations functions are: Quality assessment and improvement activities. Population-based activities relating to improving health or reducing health care costs, protocol development, case management, disease management, care coordination, and contacting health care providers and enrollees with information about treatment alternatives and related functions. Rating provider and plan performance, including accreditation, certification, licensing, or credentialing activities. Fraud and abuse detection and compliance activities. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to health care claims (including stop-loss insurance and excess of loss insurance). Conducting or arranging for medical review, legal services, and auditing functions. Business planning and development, such as conducting cost-management and planning-related analyses for the management and operation of the Plan, including formulary development and administration, and development or improvement of payment methods or coverage policies. Business management and general administrative activities, including: Management activities relating to the implementation of and compliance with HIPAA s administrative simplification requirements. Customer service, including the preparation and provision of data analyses for use of the Plan Sponsor and others. Resolution of internal grievances. Due diligence in connection with the sale or transfer of assets to a potential successor in interest if the potential successor in interest either: Is a covered entity for purposes of HIPAA Will become a covered entity following completion of the sale or transfer A health plan may disclose protected health information to other entities that are covered under the Privacy Rules to assist those entities with some of their health care operations activities in two situations. The plan may disclose protected health information to other health plans that are sponsored by the same employer, and to any insurers with respect to those plans, to assist with those plans health care operations activities that are similar to the operations activities listed above. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 12

16 To the extent that both the plan and another entity covered by the Privacy Rules have a relationship with an individual and the individual s protected health information pertains to that relationship, the plan may disclose that individual s protected health information to that entity to assist the entity with its health care operations activities involving: Quality assessment and improvement activities. Population-based activities relating to improving health or reducing health care costs, protocol development, case management, disease management, care coordination, and contacting health care providers and enrollees with information about treatment alternatives and related functions. Rating provider and plan performance, including accreditation, certification, licensing, or credentialing activities. Fraud and abuse detection and compliance activities. Required By Law -- Health plans may use and disclose protected health information to the extent required by applicable law. A use or disclosure is deemed to be required by law for purposes of the Privacy Rules if a mandate contained in law compels a health plan to make a use or disclosure of protected health information, and that mandate is enforceable in a court of law. Uses and disclosures that are required by law include: Complying with court orders and court-ordered warrants. Responding to subpoenas or summons issued by a court, grand jury, governmental or tribal inspector general, or an administrative body authorized to require the production of information. Providing information pursuant to a civil or an authorized investigative demand. Complying with statutes or regulations that require the production of information. The Privacy Rules require health plans to take certain actions whenever the health plan makes certain uses and disclosures of protected health information that are required by law. If a use or disclosure is required because of an order of a court or administrative tribunal, the health plan may use or disclose protected health information only to the extent expressly required by that order. If a use or disclosure is required by a subpoena, discovery request, or other demand in connection with a legal proceeding, but that subpoena, discovery request or demand is not accompanied by an order of a court or administrative tribunal, a health plan may use or disclose protected health information in response only to the extent that the plan receives certain assurances from the party seeking the information or makes reasonable efforts to notify the individual that is the subject of the protected health information of the pending use or disclosure. If a use or disclosure is required by an administrative subpoena or summons, or a civil or authorized investigative demand, a health plan is allowed to disclose protected health information in response only if the information sought is relevant and material to a legitimate law enforcement inquiry, the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought, and de-identified information could not reasonably be used. If the health plan is required by law to disclose protected health information about an individual whom the plan reasonably believes to be a victim of abuse, neglect, or domestic violence, the plan must promptly inform the individual that is the subject of the protected health information that such a report has been or will be made except in very specific situations. Law Enforcement -- It is permissible for health plans to make a variety of disclosures to law enforcement officials to voluntarily assist in law enforcement efforts. Most plans, however, only make disclosures to law enforcement officials as required by law and to report criminal activities affecting the plan. A health plan may disclose protected health information to a law enforcement official if the plan believes in good faith that the protected health information constitutes evidence of criminal conduct that occurred on the premises of the health plan. As Authorized By the Individual -- A health plan may use or disclose any protected health information of an individual in any manner that the individual authorizes in an authorization that complies with the Privacy Rules. For an authorization to be valid it must contain the following elements in plain language: HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 13

17 A description of the information to be used or disclosed pursuant to the authorization that identifies the information in a specific and meaningful fashion. The name or other specific identification of the persons or class of persons authorized to make the authorized use or disclosure. The name or other specific identification of the persons or class of persons by or to whom the requested use or disclosure may be made. Each purpose of the requested use or disclosure (a statement that the use or disclosure is at the request of the individual is sufficient when an individual initiates the authorization). An expiration date or expiration event that relates to the individual or the purpose of the use or disclosure. A statement of the individual s right to revoke the authorization, together with a description of how the individual would go about revoking the authorization and any limitations on the right to revoke the authorization. A statement of the extent to which enrollment or eligibility for benefits or payment of benefits are conditioned on the individual s providing the authorization (in most cases this will require a statement that none of these things is conditioned on the individual s providing the authorization). A notation that information disclosed pursuant to the authorization may be re-disclosed by the recipient and no longer protected under the Privacy Rules. A statement that the covered entity must provide the individual with a copy of the signed authorization. The signature of the individual and the date. If the authorization is signed by a personal representative of the individual, a description of the personal representative s authority to act for the individual. Authorizations generally cannot be combined with one another or with other documents. In particular, a voluntary authorization cannot be combined with one that is required in order for an individual to obtain enrollment, eligibility or benefits under a health plan. Authorizations can be required as a condition of enrollment or eligibility in a health plan only if requested prior to an individual s enrollment in the health plan and sought for purposes of determining eligibility, enrollment, or underwriting or risk rating determinations. Employer-sponsored group health plans generally cannot use protected health information for purposes of making individualized eligibility determinations, so these non-voluntary authorizations should be used only in the case of a group applying for coverage with respect to which the insurer has required health statements so that it can decide whether to accept the group and, if so, how to rate the group as a whole. In general, authorizations must be revocable at any time, except to the extent that the entity releasing the authorized information has taken action in reliance on the authorization. If an authorization is obtained as a condition of obtaining insurance coverage, as in the group underwriting situation noted above, and other law provides and insurer with the right to contest a claim under the policy or the policy itself, the authorization also may be made irrevocable. Having received an authorization, a covered entity may use and disclose the authorizing individual s protected health information in accordance with that authorization, but must be careful that its uses and disclosures do not go beyond those authorized unless otherwise permitted under the Privacy Rules. EXTREMELY LIMITED PLAN ADMINISTRATION An employer may only engage in limited plan administration. The following administration functions are permissible under the HIPAA Shortcut Route: Enrollment -- The employer and the insurer or HMO can exchange information about which employees and dependents have coverage in effect under the plan and the employer can collect enrollment and disenrollment forms and send them to the insurer or HMO. If, however, enrollment involves employees providing more than basic information (if, for example, a health statement is required), the employer will need to obtain employees and dependents specific authorizations to collect that information. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 14

18 Explaining Plan Terms -- The employer can discuss plan terms and how they apply in particular situations with employees and dependents to assist in their understanding of the plan. The employer cannot, however, become involved in specific claims decisions under the plan. Assisting with Claim Denials -- The employer can: Allow employees and dependents to report claims difficulties to the employer. Discuss those difficulties with the individual(s) involved. Report the difficulties to the insurer or HMO. Plan Sponsor Functions -- The employer can use summary health information from the insurer or the HMO, but only for purposes of obtaining premium bids for, or modifying or terminating, the plan. The employer may not receive information from the insurer other than summary health information, de-identified health information, enrollment and disenrollment information, and information released in accordance with an individual s authorization. RED FLAGS: WHAT PLAN DESIGNS NEGATE THE USE OF THE SHORTCUT ROUTE? Fully-insured employer plans can avoid most of the compliance burdens imposed by the Privacy Rules by using the compliance shortcut. In order to use the shortcut, however, the employer under the plan must severely limit its involvement with plan administration. RED FLAG #1: EMPLOYERS THAT NEED/REQUIRE MORE PHI THAN PERMITTED In order to follow the shortcut route, neither the plan nor the sponsoring employer may create, maintain, or receive protected health information. If the employer chooses to be involved in day-to-day administration and oversight of all aspects of the benefits, then the shortcut route is not available to the employer. RED FLAG #2: PLANS THAT CONTAIN A COMBINATION OF FULLY-INSURED AND SELF- INSURED HIPAA-SUBJECT BENEFITS The employer should consider each of its Plans separately and consider the following steps: 1. The employer should determine how many Plans it has. (Please refer to the section in this Employer Guide entitled Health Plans Must Comply What Is A Plan?) 2. Separate HIPAA Privacy compliance applies to each Plan that includes HIPAA-subject benefits. So, within each Plan, the employer should determine if there are HIPAA-subject benefits (see the section entitled What Benefits Are Subject to the HIPAA Privacy Rules, earlier in this Employer Guide). 3. Within each Plan subject to HIPAA Privacy, the employer will need to determine if there is a combination of fully-insured and self-insured HIPAA-subject benefits. Plans that include both fully-insured and self-insured HIPAA-subject benefits must follow the Long Route to HIPAA compliance (please see HIPAA Privacy Long Route: An Employer Guide). Tip: Employers wishing to take advantage of the HIPAA Shortcut should move either the fully-insured HIPAA-subject benefits or the self-insured HIPAA-subject benefits out of the Plan and into a different Plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 15

19 STEPS TO COMPLIANCE ASSESS APPLICABILITY OF HIPAA PRIVACY 1. Identify all plans sponsored by the employer (for entities subject to ERISA, this will mean identifying how many separate, active plan numbers exist; for entities not subject to ERISA, this will mean searching through paperwork and benefit materials in order to determine the plan sponsor s intention regarding how many plans it would offer). 2. Determine whether or not the plan sponsor is subject to the Privacy Rules. (If yes, proceed. If no, stop.) 3. Identify any benefit options which are exempt from the Privacy Rules. (With regard to those specific benefit options, do not proceed. Note: This does not necessarily mean that other benefit options contained within the same Plan are also exempt from the HIPAA Privacy Rules.) 4. Within the Plans, identify which benefit options are required to comply with the HIPAA Privacy Rules. EVALUATE PLAN DESIGN 5. If there are multiple benefit options within a given plan, then make the following determinations with regard to the benefit(s) offered under each plan: a. Are all HIPAA Privacy-subject benefits under the plan fully-insured? i. If yes, then the plan sponsor can follow the HIPAA Shortcut Route with regard to the HIPAA Privacysubject benefit options under the plan. ii. If no, then the plan sponsor must either: See the HIPAA Privacy Long Route: An Employer Guide (a) Change the plan design (on a prospective basis) in order to allow the plan sponsor to take advantage of the HIPAA Privacy Shortcut. The plan sponsor can accomplish this by: 1) moving all fully-insured HIPAA Privacy-subject benefits to a new or existing plan (with regard to the HIPAA Privacy-subject self-insured benefits remaining in the plan, the plan sponsor would need to follow the Long Route to HIPAA Compliance); or 2) moving all of the self-insured HIPAA Privacy-subject benefits to a new or existing plan; or (b) Follow the Long Route to HIPAA Compliance and do NOT continue with the remaining Steps to Compliance in this Employer Guide. b. Does any Plan contain a mix of HIPAA Privacy-subject benefits and benefits which are not subject to HIPAA Privacy? i. If yes, then for that Plan, the plan sponsor should consider one of the following options: (a) (b) Designate the Plan as a Hybrid Entity; Change the plan design (on a prospective basis), moving either all of the HIPAA Privacy-subject benefits to a new or existing A Sample Hybrid Designation Form is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix Plan or moving all of the benefits which are not subject to HIPAA Privacy to a new or existing Plan. HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 16

20 ADMINISTRATIVE DETAILS 6. Adopt an Authorization Form that allows the employer to discuss specific claims with an insurer or HMO (The employer may explain plan terms and may assist employees with enrollment questions and with claim appeals as long as an Authorization Form has been signed by the employee and permits the employer to assist with a specific claim). 7. Request carrier s assistance in continuing to satisfy the requirements for the compliance shortcut. 8. Create and adopt the abbreviated Policies and Procedures necessary in order to comply with the HIPAA Shortcut requirements. A Sample Authorization to Discuss Insurance Claims is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix A Sample Letter Requesting Compliance Shortcut Assistance is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix Sample Policies and Procedures are available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix DISTRIBUTION TO EMPLOYEES 9. Distribute a Summary of Material Modifications ( SMM ) to employees who are covered by the fully-insured benefits which are permitted to follow the HIPAA Shortcut. A Sample Summary of Material Modifications is available within the HIPAA Lite Shortcut Implementation Guide portion of the Appendix WHAT ARE THE PENALTIES FOR NOT COMPLYING WITH THE HIPAA PRIVACY RULES? The administrative simplification rules generally are enforceable only by HHS and the Department of Justice, through civil and criminal penalties. Individuals generally cannot sue to recover damages for violation of the Privacy Rules. In some instances, however, individuals will be able to sue under ERISA or comparable state authorities to enforce plan terms required by the Privacy Rules. Accordingly, employers should be aware that they may have liability to individual plan participants as a result of noncompliance. CIVIL PENALTIES Under the HITECH Act provisions, an affirmative defense exists if the violation was not due to willful neglect and the violation is corrected during the 30-day period beginning on the first date of such knowledge or during the period determined by the Secretary of HHS to be appropriate (based upon the nature and extent of the covered entity s failure to comply). After investigation of a breach, HHS will inform the covered entity of its security failure. The covered entity will then have 30 days in which to submit evidence of its affirmative defenses or any mitigating factors. The penalties can be waived by the HHS Secretary if the violations were not due to willful neglect. The penalties associated with violations of HIPAA s administrative simplification provisions vary according to when they occurred. Violations which occurred before February 18, 2009 amount to $100 per violation (there is a maximum limit of $25,000 per calendar year for identical violations). However, violations which occurred on/after February 18, 2009 are subject to minimum civil penalties, and the maximum limit of the penalty was significantly increased in the 2013 final regulations. Additionally, the 2013 final regulations subject a covered entity to liability for civil penalties because of the actions of its business associate, even if the covered entity did not know of the violations. Civil penalty analysis relies on a tier structure for the severity of the penalty: HIPAA PRIVACY SHORTCUT ROUTE: AN EMPLOYER GUIDE 17