May 2015 | Issue 5
Wellness programs are
HIP-AA! Find out how
the HIPAA rules apply to
your wellness program
It pays to be sick in
Massachusetts!
Proposed regulations
released for Earned Sick
Time law
Health Savings
Accounts and
High-Deductible Health Plan
limits raised for 2016
FAQs RELEASED ON APPLICATION
OF HIPAA TO WELLNESS PROGRAMS
The Department of Health and Human Services (HHS) recently released Frequently Asked Questions (FAQ) answering questions about the application of the Health Insurance Portability and Accountability Act (HIPAA) to wellness programs. These FAQs come on the heels of the Equal Employment Opportunity Commission (EEOC) release of proposed regulations that seek to amend the Americans with Disabilities Act (ADA) to include additional rules and clarifications for wellness programs. A Breaking News piece on those proposed regulations is forthcoming from Barney & Barney’s Wellness Department. Highlights of the HHS FAQs on HIPAA and wellness are below.
Background
The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) protect an individual’s identifiable health information held by covered entities and their business associates (called “Protected Health Information” or “PHI”). Covered entities under HIPAA are health care clearinghouses, health plans, and most health care providers. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve access to PHI (e.g., brokers and third-party administrators).
The Privacy Rule, among other things, regulates the uses and disclosures of PHI by a covered entity or business associate. The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to secure electronic PHI. The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and, in some cases, the media (and business associates to notify covered entities), of breaches of unsecured PHI.
FAQ
Q1: Do the HIPAA Rules apply to workplace wellness programs?
A1: Since the HIPAA Rules apply only to covered entities and business associates – and not to employers in their capacity as employers -- the application of the HIPAA Rules to workplace wellness programs depends on the way in which those programs are structured. Some employers may offer
FAQs Released on Application of HIPAA to Wellness Programs
(continued)cost-sharing amounts, in exchange for participation in a wellness program. Other employers may offer workplace wellness programs directly and not in connection with a group health plan.
Where a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is PHI and protected by the HIPAA Rules. While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA, and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates). HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan. Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA Rules. However, other Federal or state laws may apply and regulate the collection and/or use of the information.
Q2: Where a workplace wellness program is offered through a group health plan, what protections are in place under HIPAA with respect to access by the employer as plan sponsor to individually identifiable health information about participants in the program?
A2: The HIPAA Privacy and Security Rules place restrictions on the circumstances under which a group health plan may allow an employer as plan sponsor access to PHI, including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual. Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits offered through the plan. Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents and certifies to the group health plan that it agrees to, among other things:
Establish adequate separation between employees who perform plan administration functions and those who do not
Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule
Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information and ensure that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions
Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware
Further, where a group health plan has knowledge of a breach of unsecured PHI by the plan sponsor (i.e., an unauthorized use or disclosure that compromises the privacy or security of the PHI), the group health plan, as a covered entity under the HIPAA Rules, must notify the affected individuals, HHS, and if applicable, the media, of the breach, in accordance with the requirements of the Breach Notification Rule.
Where the employer as plan sponsor does not perform plan administration functions on behalf of the group health plan, access to PHI by the plan sponsor without the written authorization of the individual is much more circumscribed. In these cases, the Privacy Rule generally would permit the group health plan to disclose to the plan sponsor only:
Information on which individuals are participating in the group health plan or enrolled in the health insurance issuer or HMO offered by the plan
Summary health information if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan
FAQs Released on Application of HIPAA to Wellness Programs
(continued)
MASSACHUSETTS PAID SICK LEAVE LAW, PROPOSED
REGULATIONS RELEASED
The Massachusetts Attorney General’s Office recently released proposed regulations for the voter-approved state paid sick leave law. Effective July 1, 2015, the new law will require employers with 11 or more employees nationwide to provide paid sick leave (employers with less than 11 employees must provide unpaid sick leave). Accrual of sick leave is at a rate of one hour for every 30 hours worked beginning July 1, 2015, or the date of hire, and sick leave may be used after 90 days of employment. Employers may cap usage at 40 hours a year and must allow carryover of unused sick time up to 40 hours a year (if available). Highlights of the proposed regulations are below.
Employers may, but are not required to, establish policies to pay out up to 40 hours a year of earned sick time at the end of each calendar year provided employees are given at least 16 hours of sick time at the beginning of the new calendar year
A leave accrual calendar year is any 12-month consecutive period chosen by the employer so long as it is uniform and consistent
An employee is eligible to accrue and use earned sick time if the employee’s primary place of work is in the state. An employee need not spend more than 50% of working time in the state for it to be the primary place of work
Action Required for Some Employers
Employers with wellness programs should ensure they are HIPAA compliant (self-funded plan sponsors must also be HIPAA compliant – including those employers with Flexible Spending Accounts, Health Savings Accounts and Health Reimbursement Accounts).
For complete details, see: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/wellness
Action Required for Some Employers
Employers with Massachusetts employees should ensure their leave policy is compliant with the state leave law. If the employer has a leave policy that accrues at the same rate, or is more generous, no new leave policy is required. Employers must maintain records for a period of three years. Employers are also required to post a notice of the Earned Sick Time law and these regulations (link below) in every establishment in the state, where other legal rights posters are hung (in a conspicuous place) and provide a copy to employees (a notice will be drafted by the Attorney General’s office and posted on their site:
http://www.mass.gov/ago/doing-business-in-massachusetts/labor-laws-and-public-construction/earned-HEALTH SAVINGS ACCOUNTS AND HIGH DEDUCTIBLE
PLAN 2016 COST-OF-LIVING ADJUSTMENTS RELEASED
The Internal Revenue Service (IRS) recently released the 2016 cost-of-living adjustments for Health Savings Accounts (HSA) and High-Deductible Health Plans (HDHP). Highlights are below.
HSA Contribution Limits
− The 2016 annual HSA contribution limit for individuals with self-only HDHP coverage is $3,350 (unchanged from 2015), and the limit for individuals with family HDHP coverage is $6,750 (a $100 increase from 2015)
HDHP Minimum Required Deductibles
− The 2016 minimum annual deductible for self-only HDHP coverage is $1,300 (unchanged from 2015) and the minimum annual deductible for family HDHP coverage is $2,600 (unchanged from 2015)
HDHP Out-of-Pocket Maximums
− The 2016 maximum limit on out-of-pocket expenses (including items such as deductibles, copayments, and coinsurance, but not premiums) for self-only HDHP coverage is $6,550 (a $100 increase from 2015), and the limit for family HDHP coverage is $13,100 (a $200 increase from 2015)
Action Required
Employers with applicable plans should ensure they are prepared to implement these changes for their 2016 plan years, keeping in mind these are tax year limits regardless of plan year.
QUESTION OF THE MONTH
Q:
We are considering contracting with a cloud storage provider to back up our health plan’s electronic protected health information (ePHI). Do we need a HIPAA business associate contract with the cloud storage provider?A:
By referring to cloud storage, we assume that you are describing off-site storage of ePHI on servers owned and managed by a third party. In that case, you probably will need a business associate contract with the cloud storage provider.Under final regulations published in January 2013, a HIPAA business associate generally is an entity that creates, receives, maintains, or transmits PHI to perform a service on behalf of a covered entity (including a group health plan). Prior to the 2013 regulations, some contended that companies providing storage of paper or electronic records should not be treated as HIPAA business associates, analogizing to an exception carved out for “conduits” of PHI. The conduit exception applies where the service provider is not intended to access PHI as part of its services and does not actually access PHI except on a random or infrequent basis.
The 2013 regulations seem to preclude reliance on the conduit exception in the context of data storage, including cloud storage. The regulatory preamble explains that the business associate definition was modified to include entities that “maintain” PHI on behalf of covered entities to address storage providers. Also, the preamble notes that the conduit exception is intended to apply only to transmission of PHI (as well as “temporary” storage of transmitted data incident to the transmission). In contrast, when the service being provided is storage itself, the conduit exception will not apply. HHS reasons that storage providers should be treated as business associates if they have the persistent opportunity to access PHI, regardless of whether they actually take advantage of the opportunity or are intended to have access as part of their services. In most cases, cloud storage providers have the ability to access ePHI stored on their servers and therefore will fall within the definition of a HIPAA business associate.
When analyzing this issue, it is important to keep in mind the HIPAA security rule, as well as the privacy rule. The security rule requires covered entities (and their business associates) to adopt safeguards to protect the confidentiality, integrity, and availability of ePHI. Therefore, in addition to a business associate agreement addressing HIPAA privacy rule requirements, you must consider, as part of your risk analysis, whether ePHI stored on the cloud can be corrupted (intentionally or unintentionally) and whether you need an additional backup plan in case ePHI stored on the cloud becomes inaccessible.
