The recent United States Supreme Court decision in Burwell v. Hobby Lobby Stores, Inc. has  attorneys, pundits, policy-makers and businesses (yes, corporations are people, too) pondering big, quintessentially American issues like the free exercise of religion, compelling government interests, and our fundamental right to make money (and, as a corollary issue, what distinguishes for-profit from not-for-profit corporations).  Perhaps not many people are pondering the HIPAA implications of this historic decision, but if you are reading this blog, you might be among the very few of us wondering what this decision means in terms of HIPAA protection.  Or, more likely, you are wondering why I don’t have better things to think about on the eve of a national holiday.

The majority notes that the Department of Health and Human Services (HHS) has effectively exempted certain religious nonprofit organizations (“eligible organizations”) from the contraceptive mandate imposed by the Affordable Care Act (ACA).  If an employer certifies that it is an eligible organization, its health insurance issuer must exclude contraceptive coverage from the employer’s plan and must provide separate payments for contraceptive services for plan participants without imposing fees or cost-sharing requirements on the eligible organization, its insurance plan, or its employee beneficiaries.  HHS regulations implementing this eligible organization contraceptive policy make it clear that the health insurance issuer is not acting as an insurance carrier under state insurance law because the payments for contraceptive coverage “derive solely from a federal regulatory requirement, not a health insurance policy… .”  If the eligible organization is self-funded, its third party administrator (TPA) must pay for contraceptive services (without imposing fees or cost-sharing requirements) or arrange for an insurer or other entity to pay for these services.

The Hobby Lobby majority endorses this “reasonable accommodation” for use by religious for-profit, closely-held corporations such as Hobby Lobby – it points out that HHS has the means to achieve its desired goal (here, employer plan coverage of contraceptives) without imposing a substantial burden on the exercise of religion by these closely-held corporate entities.

Back to HIPAA.  If a beneficiary of an eligible organization’s health plan seeks contraceptive coverage, and the health plan is not covering this benefit, who is the covered entity for purposes of HIPAA compliance?  If the eligible organization has a self-funded plan, is the TPA (which acts the business associate in relation to the self-funded plan in its normal course of operations) the “covered entity” for purposes of protected health information (PHI) related to contraceptive services?   This is an important question because presumably the beneficiary who is seeking contraceptive services must obtain coverage for these services someone other than the eligible organization’s health plan.

Women whose health plans do not cover contraception, whether because their employer plans were exempt from the ACA contraceptive coverage mandate under the pre-Hobby Lobby religious nonprofit exemption, or because the Hobby Lobby decision casts open the doors to new employer plan exemptions, may want to think about who’s responsible for protecting this very personal PHI.

The requirements of HIPAA impose other specific obligations on a covered entity and raise additional questions.  For example, what will the Notice of Privacy Practices of the covered entity (assuming we know who that is) look like for contraceptive services?  If the TPA (or other person now responsible for paying for contraceptive services) normally acts as a business associate in relation to the employer plan, does it now need its own Notice of Privacy Practices and business associate agreements with third parties to deal with its receipt of PHI related to contraceptive services?  These types of issues will likely become more clouded as cases involving other challenges to the ACA move through the courts.  Certainly, religious freedom is important and worth protecting, but so too is health information privacy.  Happy Fourth!

 

If you are a federally-facilitated health insurance exchange (FFE), a “non-Exchange entity”, or a State Exchange, the answer is “Quick, report!”  Those involved with the new health insurance exchanges (or “Marketplaces”?  The name, like the rules, seems to be a moving and elusive target) should make note that privacy and security incidents and breaches are to be reported within one hour of their discovery, according to regulations proposed by the Department of Health and Human Services (HHS) on June 19, 2013 (“Exchange Regulations”).  That’s right – within one hour, or a measly 60 minutes, of discovery of a breach involving personally identifiable information (PII), the entity where the breach occurs must report it to HHS.  Even a mere security “incident” would have to be reported within one hour.  The broad term “incident” would include:

[t]he act of violating an explicit or implied security policy, which includes attempts (either failed or successful) to gain unauthorized access to a system or its data, unwanted disruption or denial of service, the unauthorized use of a system for the processing or storage of data; and changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent. 

Whereas HIPAA breaches (those involving protected health information, or PHI) affecting more than 500 individuals must be reported to HHS “without unreasonable delay and in no case later than 60 days after discovery” and (as discussed here in an earlier blog post) there is no express requirement for reporting of security incidents to HHS , HHS’s new proposal requires a 60-minute turn-around for PII breaches and incidents alike.  HHS says that it “considered but declined to use the definitions” for “incident” and “breach” provided under the HIPAA regulations because “the PHI that triggers the HIPAA requirements is considered a subset of PII, and we believe that the HIPAA definitions would not provide broad enough protections… .” 

The 60-minute turnaround time may sound familiar to Medicare Shared Savings Programs (MSSPs, also known as Medicare Accountable Care Organizations or ACOs).  Approved MSSPs must sign a Data Use Agreement with the Centers for Medicare & Medicaid Services (CMS) before it can obtain data from CMS that contains Medicare beneficiaries’ PHI.  The 60-minute turnaround under the Data Use Agreement is even a bit more onerous than that proposed in Exchange Regulations in that breaches of PII must be reported within 60 minutes of the breach, loss, or unauthorized disclosure itself, rather than within 60 minutes of discovery of the breach, loss, or unauthorized disclosure.  Then again, the Data Use Agreement doesn’t require reporting of “incidents” like attempted access or power interruptions, and CMS is thoughtful enough to provide a phone number and email address to be used in making the reports.

On June 25, 2012, William Maruca, Esq., the Editor of this blog and my health law partner at Fox Rothschild LLP, published an article entitled "What small business owners should know about each possible Supreme Court health-care ruling" on washingtonpost.com.  In the article Bill highlights the likely impact on small business owners of the numerous possible Supreme Court rulings in the pending Accountable Care Act case.  While the subject matter goes beyond the usual focus of this blog, I thought that the comments would be of significant assistance to many of those who are following this continuously unfolding drama.

Buried in the 906 pages of the healthcare reform bill signed into law on March 22 are a number of changes that will have an impact on health information technology. Among the changes are standards which, when implemented, will reduce or eliminate the need to submit paper attachments with claims, a pet peeve of many healthcare providers. The inability of most electronic systems to accept required attachments digitally has discouraged many providers from fully implementing electronic claims submission.

Section 1104 of the Act tweaks HIPAA’s administrative simplification provisions by requiring the Secretary of Health and Human services to adopt standards for health care transactions which enable point-of-care eligibility determinations; minimize the need for paper attachments to claims submissions; describe all data elements (including reason and remark codes) in unambiguous terms, require that such data elements be required or conditioned upon set values in other fields, and prohibit additional conditions (except where necessary to implement State or Federal law, or to protect against fraud and abuse). 

 

The Secretary is directed by Congress seek to reduce the number and complexity of forms (including paper and electronic forms) and data entry required by patients and providers.

 

Health plans will be also required to adopt “unique health plan identifier” numbers by 2012.

 

Health plans will need to certify their compliance with the new standards by 2015. Penalties for noncompliance begin on April 1, 2014.