Health Plan Liability Heats Up As Plans & Businesses Face New Obligations, Costs & Exposures under New HIPAA Privacy Rules Effective 2/17 & Other Expanding Federal Health Plan Mandates

February 17, 2010

Today (February 17, 2010), employer and other health plans and health insurers (“covered entities”) and service providers performing functions on behalf of these entities (“business associates”) must begin complying with tighter federal requirements for the use, access, protection and disclosure of protected health information under Privacy & Security Standards of the Health Insurance Portability & Accountability Act (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Coming as U.S. employers continue to struggle to provide health benefits in the face of skyrocketing health benefit costs, these and other new federal regulations impacting employment-based health plans and their sponsoring businesses, fiduciaries and administrators are forcing U.S. business leaders to make appropriate health plan cost and compliance management a key management priority.

2/17/10 & Other HIPAA Privacy Rule Changes Require Prompt Attention

The HIPAA Privacy Rule changes scheduled to take effect February 17, 2010 are likely to require that health plans and their business associates update their written policies, operational procedures, privacy notices and business associate agreements in several respects.

While the HITECH Act gave covered entities and business associates a year to complete the necessary arrangements to comply with these impending HITECH Act changes, many health plans and business associates have not completed the necessary arrangements despite expanding liability exposures that can result from noncompliance. To mitigate these exposures, covered entities and their business associates should act quickly both to update their services agreements, plans and policies, practices, and procedures, and to implement the training, oversight, and other management procedures necessary to comply with the HITECH Act changes and to mitigate other HIPAA risks.

The risks of noncompliance for health plans, business associates and others mishandling protected health information are real and growing. Wrongful use, access or disclosure of protected health information in violation of HIPAA subjects participating health plans, health care providers, health care clearinghouses, their business associates and other workforce members and others to civil penalties,  criminal prosecution and, since February 17, 2009, civil lawsuits brought by state attorneys general on behalf of citizens of their states whose HIPAA rights were violated.  Since September 23, 2009, health plans and other HIPAA covered entities as well as their  business associates also became obligated to provide breach notification under new mandates imposed by the HITECH Act. 

In addition to these HIPAA-specific exposures, wrongful use, access or disclosure of medical information also can give rise to liability for health plans and other covered entities, business associates, employees and other members of their workforce and others improperly using, accessing or disclosing protected health information.  Federal and state prosecutions may and increasingly do criminally prosecute individuals for improperly accessing or using medical or other personal information under a variety of other federal or state laws .  See e.g., Cybercrime & Identity Theft:Health Information Security Beyond HIPAA; NY AG Cuomo Annoucment of 1st Settlement For Violation of NY Security Breach Notification Law; Woman Who Revealed AIDs Info Gets A Year.  Additionally, State courts also increasingly are permitting individuals harmed by HIPAA violations to use HIPAA as the foundation of state law duties used to maintain state negligence, invasion of privacy, retaliation or other claims for damages. Read more here

To manage these and other HIPAA-related risks, sponsoring employers, fiduciaries, administrators, insurers and their vendors should begin with carefully and timely reviewing and updating existing plan documents, vendor agreements, privacy notices and other communications and associated practices and policies.  The focus of these efforts definitely should seek both to adopt the specific technical changes necessary to make the health plans and their contracts technically comply on paper with these and other HIPAA mandates, and to tailor these documents, communications and practices promote operational compliance and minimize exposure to associated risks.  In relation to these efforts, sponsoring employers, insurers, fiduciaries and administrators also should ensure that required certifications from employers and other plan sponsors, representations from business associates, training and other compliance conditions are properly in place.  In this respect, employers sponsoring health plans should not overlook the potential need to adopt appropriate policies and implement needed training and safeguards to enable the health plan and the employer demonstrate, if necessary that HIPAA’s requirements for sharing protected health information with members of the employer’s workforce for plan administration, underwriting or certain other purposes have been satisfied.

Other Health Plan Updates Also Required

The HIPAA Privacy Rule changes effective today are only part of the ever-growing list of federal mandates that group health plan sponsors, fiduciaries, insurers, administrators and service providers need to be concerned about.  In addition to the new HIPAA Privacy Rule requirements taking effect today, health plans, their sponsors, administrators, fiduciaries, insurers, business associates and other service providers face a host of other new federal health plan and privacy mandates that have taken effect over the past year, and will become subject to additional mandates in upcoming months.  Consequently, while focusing on HIPAA compliance, health plans, their employer or other sponsors, insurers, fiduciaries, administrators and service providers also should not overlook the need to review and update their health plans in response to a host of other changes in federal health plan mandates.

In addition to otherwise applicable civil damage awards and civil penalty exposures that can result from violations of these requirements, new Internal Revenue Service regulations that took effect January 1, 2010 also require that employers, health plans or others self-report violations of certain of these requirements and self assess and pay resulting excise taxes arising under the Internal Revenue Code.  See, e.g., COBRA, HIPAA, GINA, Mental Health Parity or Other Group Health Plan Rule Violations Trigger New Excise Tax Self-Assessment & Reporting Obligations

The highly volatile health plan regulatory environment makes it likely that many health plans are not appropriately updated to comply with these and other federal requirements. In recent months, health plans, their employer or other sponsors, administrators and others also have become obligated to comply with a host of other expanded federal health plan rules and requirements. See e.g., New Mental Health Parity Regulations Require Health Plan Review & Updates; New Labor Department Rule Allows Employers 7 Days To Deliver Employee Contributions To Employee Benefit Plans; Newly Extended COBRA Subsidy Rules Require Employers, Administrators Send Required Notices & Update Health Plan Documents & Procedures Quickly;  Employer & Other Health Plans & Other HIPAA-Covered Entities & Their Business Associates Must Comply With New HHS Health Information Data Breach Rules By September 23.

These and other developments make it imperative that health plans, their employer or other  sponsors, administrators, insurers, fiduciaries and service providers get serious about complying with these and other federal health plan mandates and managing health plan related liabilities and costs. Sponsors, insurers, fiduciaries and administrators should ensure that health plan documents, insurance and other vendor contracts, policies, procedures and communications are timely updated to comply with these and other emerging mandates.  When implementing these updates, parties concerned about costs or liabilities also should exercise care to ensure that plan documents, communications, contracts, administrative forms and procedures are optimally designed and drafted not only to be technically compliant, but also to support the enforceability of plan design and cost expectations, minimize administrative and other avoidable costs, and minimize liability exposures.  In furtherance of these efforts, employer and other plan sponsors also should consider tightening their practices and requirements for credentialing, selection, oversight and contracting with administrators and vendors, and take other prudent steps to manage health plan related risks.

Curran Tomko Tarski LLP Can Help

If your organization need advice or assistance in reviewing, updating, administering or defending its HIPAA or other privacy policies, practices, business associate or other agreements, notices or other related activities, consider contacting Curran Tomko Tarski LLP Partner Cynthia Marcotte Stamer.

A widely published author and speaker on HIPAA and other employee benefit and human resources related matters, Ms. Stamer has extensive experience advising health plans, their employer and other sponsors, health insurers, TPAs and other business associates and others about HIPAA and other health plan and privacy matters. Currently serving as both Chair of the American Bar Association (ABA) RPTE Employee Benefits & Other Compensation Group and as an ABA Joint Committee on Employee Benefits Council representative and Former Chair of the ABA Health Law Section Managed Care & Insurance Interest Group, Ms. Stamer has more than 23 years experience assisting employers, insurers, plan administrators and fiduciaries and others to design, implement, draft and administer health and other employee benefit plans and to defend audits, litigation or other disputes by private parties, the IRS, Department of Labor, Office of Civil Rights, Medicare, state insurance regulators and other federal and state regulators. A nationally recognized author and lecturer, Ms. Stamer also speaks and writes extensively on these and other related matters. For additional information about Ms. Stamer and her experience or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Examples of other recent updates that may be of interest include:

For important information concerning this communication click here.   

 ©2010 Cynthia Marcotte Stamer. All rights reserved.


Inapplicability of HIPAA Privacy To Disability Insurer Not License To Impose Unreasonable Claims Requirements

February 8, 2010

By Cynthia Marcotte Stamer 

While finding the Privacy Standards imposed by the Health Insurance Portability & Accountability Act (HIPAA) inapplicable to disability insurers, a recent Louisiana Court of Appeals nevertheless ruled that the insurer was not entitled to dismissal of the lawsuit challenging the denial of disability benefits brought by a state employee for failure to meet proof of loss requirements based on his failure to sign insurer required medical authorization.  Disability insurers and plan fiduciaries should heed the decision as a reminder that exemption from HIPAA does not amount to a license to impose unreasonable proof of loss or requirements inconsistent with a reasonable reading of the terms of the applicable plan or policy, or other applicable regulations.

Harris v. Metropolitan Life Ins. Co., — So.3d —-, 2010 WL 415262, 2009-0034 (La.App. 1 Cir. 2/5/10), involved a lawsuit challenging the continuing  refusal of Metropolitan Life Insurance to and its designates to approve the disability benefit claim of Louisiana Supreme Court employee Jack Harris.  Metropolitan repeatedly asked insisted that Mr. Harris submit to a physical examination and sign various medical and other authorizations including an “Attending Physician’s Statement” and an “Employee Authorization,” and sign certain other documents.  While Mr. Harris sent the “Attending Physician’s Statement” to his treating physician, he declined to sign the Employee Authorization and certain other subsequently requested consents on the grounds of HIPAA.  While  he provided to a HIPAA-compliant authorizations to his medical providers to release  all medical records, medical opinions, and medical reports relating to Mr. Harris’ past and current treatment for purposes of the claim, he declined and instead filed suit contending that the information and releases already provided met the proof of loss requirements of the policy.

Upon motion of Metropolitan, the trial court found that Mr. Harris’ failure to sign the authorizations and submit to the medical examination required by Metropolitan rendered his claim “premature.”  Upon appeal, however, the Court of Appeals overruled this determination.  While the Court of Appeals agreed with the trial court that the special authorization rules imposed by HIPAA did not apply to a disability insurer such as Metropolitan, it also ruled that its right to require a claimant to sign authorizations, submit to medical examinations or meet other proof of loss conditions must be reasonable in light of the terms of the policy.  Accordingly, although the Court of Appeals agreed that the proof of loss and other provisions of the disability policy authorized Metropolitan to require a disability claimant to undergo an independent medical examination “as often as reasonably required,” the Court of Appeals ruled that Mr. Harris’ submission to the independent medical examination was not a condition precedent to the initiation of litigation by an insured and that the “medical authorization” demanded by Metropolitan was far broader than what the policy allowed as reasonably required for the independent medical examination.  Accordingly, the Court of Appeals overruled the trial court’s dismissal of the disability claim and remanded the action to the trial court for hearing.

While affirming that the HIPAA Privacy Standards don’t directly apply to disability insurers, the Harris decision also demonstrates that disability insurers should not over-estimate the effect of this exemption. While HIPAA may not apply, disability insurers generally remain bound by the reasonable construction of their policy terms, taking into account otherwise applicable laws and regulations.  Accordingly, disability and other HIPAA-exempt insurers and plans should not confuse the inapplicability of the HIPAA authorization requirements for carte blanche to impose unreasonable authorization or other proof of loss requirements inconsistent with their policy terms.

If you have questions about or need assistance evaluating, commenting on or responding to this invitation or other employee benefit, employment, compensation, employee benefit, workplace health and safety, corporate ethics and compliance practices, concerns or claims, please contact the author of this article, Curran Tomko Tarski LLP Labor & Employment Practice Group Chair Cynthia Marcotte Stamer.  Board Certified in Labor & Employment Law by the Texas Board of Legal Specialization, Chair of the American Bar Association RPTE Employee Benefits & Other Compensation Group, and a Council Member on the ABA Joint Committee on Employee Benefits, Ms. Stamer has more than 22 years experience advising and assisting employers, employee benefit plan and their fiduciaries, insurers, administrators, and others about policy and plan, process, and product design, administration, documentation, risk management and defense under ERISA, COBRA, HIPAA, labor and employment, tax, state banking and insurance, and other laws.  Her work includes extensive experience advising and defending employee benefit plan fiduciaries and insurers about the investigation of disability, health and other claims and appeals.  She also advises, assists, trains, audits and defends employers and others regarding the federal and state Sentencing Guideline and other compliance, equal employment opportunity, privacy,  leave, compensation, workplace safety, wage and hour, workforce reengineering, and other labor and employment and defends related audits, investigations and litigation, charges, audits, claims and investigations by the IRS, Department of Labor and other federal and state regulators. Ms. Stamer also speaks, writes and conducts training extensively on these and other related matters. For additional information about Ms. Stamer and her experience, see here or to access other publications by Ms. Stamer see here or contact Ms. Stamer directly.   For additional information about the experience and services of Ms. Stamer and other members of the Curran Tomko Tarksi LLP team, see here.

Other Information & Resources

We hope that this information is useful to you. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile here or e-mailing this information here or registering to participate in the distribution of our Solutions Law Press HR & Benefits Update distributions here.  Some other recent updates that may be of interested include the following, which you can access by clicking on the article title:

For important information concerning this communication click here.   If you do not wish to receive these updates in the future, send an e-mail with the word “Remove” in the Subject here.

©2010 Cynthia Marcotte Stamer. All rights reserved.