Don’t look now, but another HIPAA deadline is just around the corner.
As we noted last month, the deadline is looming for employer-sponsored health benefit plans to come into compliance with U.S. Department of Health and Human Services rules governing the privacy and security of their “protected health information” (PHI), as well as notification requirements for certain breaches of such PHI. Released in January, the rules had an effective date of March 23, 2013, but also provided a 180-day grace period for entities covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) such as employer health plans, along with the outside service providers to plans. The grace period ends on September 23, 2013, by which point group health plans and other “covered entities” and “business associates” are required to be in compliance with the applicable provisions of the final rules.
Among other things, the final rules: (1) significantly expand the scope and impact of the HIPAA privacy and security rules on vendors—business associates—who work with group health plans; (2)revise rules covering individual rights regarding PHI, as well as other rules, to take into account changes made by the Health Information Technology for Economic and Clinical Health (HITECH) Act; and (3) make additional changes required by the Genetic Information Nondiscrimination Act of 2008 (GINA).
In light of the new rules, plan sponsors will generally want to:
- update existing business associate agreements with providers such as claims administrators, pharmacy benefit managers, insurance brokers, and benefit consultants;
- update the Notice of Privacy Practices distributed to participants to explain participant rights and other features of the plan’s handling of PHI;
- review and revise internal policies and procedures that govern a plan’s handling, use, and disclosure of PHI, especially those governing breaches of “unsecured” PHI; and
- train the benefits staff that actually administers the plan on these new legal developments and any changes to the plan’s policies and procedures that are made in response.
Finally, though these regulations did not modify the existing laws and regulations that govern PHI that is stored electronically, or “e-PHI,” many employers may find this an opportune time to review the compliance steps that were taken when those rules first took effect in 2004 and 2005 to ensure that they are still adequate.