New HIPAA Health Care Privacy Rules Pose Legal Traps for Contractor Workforce Management

New HIPAA Health Care Privacy Rules Pose Legal Traps for Contractor Workforce Management

The new HIPAA health care privacy rules dramatically alter the legal risks associated with contingent workforce management. Their expanded scope and new formula for determining worker status create a minefield of complex compliance issues for those who manage a contractor-based workforce.

Until now, a worker’s status as employee or independent contractor has been the key issue for determining liability under various federal laws governing the workplace (ie. labor, employment, tax, or benefits laws). Employers asking about their potential liabilities are typically told, “no, they’re not covered” for independent contractors, and “yes, they’re are covered” for employees. HIPAA provides new questions and different answers. Regulations issued last month by the Department of Health and Human Services (DHHS) implementing HIPAA replace the “employee or contractor” classifications with new categories of “workforce member” and “business associate”. Yet these new classifications are just the tip of the legal iceberg. They create a new legal framework for group health plan administrators, health care providers, employers and other entities covered by HIPAA and involved in the use and electronic distribution of personal health information (PHI).

New Worker Status Categories: “Workforce Member” and “Business Associates”

Correct worker classification is the first step in HIPAA compliance. The second step is learning how to manage workers who fall into each group.

Determining worker status question under HIPAA depends upon the degree of control the covered entity exerts over the worker. The following examples illustrate how these categories are used to determine whether a contractor is a “workforce member” or “business associate”:

1) An IT professional who works on-site as a contractor for an indefinite period of time is likely to be considered a “workforce member”.

2) An IT professional who works on-site as a contractor for three days, on a particular assigned project, is likely to be considered a “business associate”.

The effects of this new classification formula can be illustrated by comparing HIPAA’s requirements with those of ERISA, the federal law governing employee benefits.

HIPAA Enforcement and Unexpected Legal Risks

Like other laws regulating the workplace, ERISA covers employees, but excludes independent contractors and other contingent workers. By contrast, HIPAA covers all workers-- both traditional employees and contingent workers. Any covered entity expecting to face similar requirements under HIPAA that they have followed under ERISA and other workforce laws can faces unexpected and costly legal risks.

Authority for enforcing HIPAA lies with the Department of Health and Human Services (DHHS). May 19 is the first enforcement deadline under the agency’s new “interim final regulations” issued last month. Penalties for non-compliance range from $100 for a single violation to a $250,000 fine and 10 years in prison for disclosing information for personal gain or with intent to cause malicious harm.

The rules adopt existing procedures used by HHS to enforce the Social Security Act (SSA), Medicare fraud and other civil enforcement actions for more than a decade. They require that HHS provide notice and a hearing on any decision to impose penalties. Once a penalty is imposed, HHS must first notify the covered entity of its decision. The entity then has 60 days to request an administrative hearing. Failure to request a hearing within this time period results in an automatic penalty which cannot be appealed. More details on the enforcement hearing process are available from DHHS.

HIPAA Compliance

Employers and plan administrators must control the use and disclosure of PHI information to both “workforce members” and “business associates”. For “workforce members”, this is accomplished by developing and implementing new workplace policies and procedures and training workforce members on HIPAA compliance. For business associates, necessary provisions must be incorporated in business contract agreements to ensure compliance.

Generally, health plan sponsors and other “covered entities” need to:

1) Identify those health plans that are subject to the new HIPAA requirements and any third party companies that need to comply (such as an insurance companies or HMOs).

2) Protect all PHI by keeping it separate from your employment-related functions unless a worker expressly authorizes otherwise. Create this separation by either: a) Designating an individual or department within your firm as a “designated entity”, to maintain all PHI on a separate system that is not accessible by other individuals or department, to receive all PHI on behalf of the plan and does not make employment-related decisions; or b) Outsourcing all PHI to a third party administrator

3) Create and implement compliance policies and procedures for workforce training, complaints, risk-management, record-keeping, sanctions, individual PHI notices and notice amendment procedures;

4) Amend group health plan document, certify that the plan document has been amended and that the plan sponsor agrees to the required restrictions and conditions;

5) Develop procedures for handling individual requests for PHI use and disclosure restrictions, alternative means and locations for PHI communications, PHI access, amendments to an individual’s PHI, accounting of PHI uses and disclosures, and

6) Designate a privacy officer and contact person.

Training

Effective training is vital for HIPAA compliance. In the examples above, workforce members” will participate in your HIPAA training. Business associates will not. Despite its distinctions between “workforce members” and “associates”, the law does not prohibit you from training your business associates along with your workforce members. On the contrary, HIPAA provides that a contractor who works next to an employee can receive the same training. If you are uncertain about a worker’s status you cannot err by providing training. Training all workers is the surest way to avoid costly consequences of worker misclassification under HIPAA.

Business Associates

A “business associate” is a contractor or other non-workforce member hired by a “covered entity” to do work involving the use or disclosure of PHI. Contractors whose services don’t require access to protected health information such as electricians and photocopy repair technicians are not “business associates.

While employees are generally classified as "workforce members", independent contractors can fall into either category ("workforce member" or "business associate") depending upon the duration of their work for particular firm and other factors. Temporary staffing agencies, by contrast, generally fall into the "Business Associate" classification. This new distinction makes it particularly important for staffing agencies and their temporary workers to be certain that they have HIPAA-compliant Business Associate Agreements to avoid potentially costly liabilities. (see Compliance discussion below).

A vendor can “become” business associates by virtue of the services they provide. A software vendor can become a “business associate” if it hosts software containing patient information on its server or accesses patient information when troubleshooting your software problems. If your company's computer system contains any PHI, you need a business associate agreement with your vendors before allowing the software company access to protected health information.

Managing Business Associates

Managing business associates requires considerably more work to ensure legal compliance, including detailed contracts and confidentiality agreements. Contrast this to the independent contractor classification under tax, workers compensation and employee benefits laws (ERISA) where contractors are excluded and firms classifying their workers as “contractors” know this can reduce overhead costs of legal compliance.

Business Associate Agreements

All business associates who receive PHI must sign a business associate agreement to protect all PHI which each individual business associate receives. If your company hires business associates (and specifically, independent contractors), you need to learn when and how to use these agreements. They must include specific written safeguards to protect all PHI that will be used or disclosed by your business associates. They should also list all other parties who are contracted as business associates by the “entity” to promote sharing of information on its behalf. Your “designated employee” receives this information from your business associates.

A Sample Business Agreement is included in our new Contingent Workforce Forms Book, available at www.contingentlaw.com/publications.htm

The Dept of Health and Human Services (DHHS) offer eight guidelines for provisions to incorporate in business associate agreements:

1. Do not use or further disclose the information other than as permitted or required by the contract or as required by law.
2. Use appropriate safeguards to prevent use or disclosure of the information.
3. Report to the covered entity any use or disclosure of the information not provided for in the contract of which it becomes aware.
4. Make available PHI that the company keeps for inspection by the plan.
5. Make available PHI for amendment and incorporate any amendments to the information.
6. Make company’s internal practices, books, and records relating to the use and disclosure of PHI available to the Department of Health and Human Services to determine the Plan’s compliance.
7. Upon termination of contract, if feasible, return or destroy all PHI received or created that it still maintains in any form and retain no copies of such information. If such return or destruction is not feasible, the protections of the contract will remain in place so as to protect the remaining PHI.
8. The contract may be terminated for a material breach.

Other provisions depend upon the language of existing contracts such as independent contractor agreements. Subcontracting is one area which, if appropriate, should be added to allow business associates to subcontract out tasks and PHI to other sources.

Confidentiality Agreements

Given the overriding importance of confidentiality under the new rules, confidentiality agreements should be signed by business associates and employees. While they are not required by HIPAA, they provide important protection against potential liabilities. Business associates contracts need to include confidentiality protections. Employees should be asked to sign them to acknowledge that they are dealing with confidential information and agree not to use or disclose it in an inappropriate manner.

Conclusion

The new health care privacy requirements raise important compliance issues for all parties in contingent workforce management. The growing use of independent contractors can be costly for entities that fail to comply with the new rules. When contractors are involved, it is important to: 1) recognize that HIPAA covers independent contractors, 2) learn how to properly classify workers under HIPAA’s categories of “workforce member” or “business associate” and 3) learn when to use business associate contracts and confidentiality agreements to adequately safeguard and protect any personal health information (PHI). Adopting these and other compliance steps now will help you avoid costly non-compliance risks in the future.