Under the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA) “covered entities,” including employer sponsored self-insured group health plans, are required to establish certain procedures to safeguard protected health information. On January 25, 2013, the Department of Health and Human Services issued final regulations regarding HIPAA privacy and security provisions. These final regulations replace, and in some cases differ from, the prior existing guidance. Some of the changes under the new regulations include a broadening of the business associate definition, the application of all security provisions directly to business associates, a change to the process for determining if a breach has occurred, the addition of new rights for individuals to access and restrict the disclosure of protected health information, and new restrictions on information that can be disclosed by a plan for underwriting purposes. In light of the new final regulations and the changes they include, it is important for employers to review and amend as necessary the HIPAA compliance documents and practices that govern their self-insured health plans.

Specifically, the following documents should be reviewed and amended as necessary:

  • Notice of Privacy Practices
  • HIPAA Privacy and Security Policy
  • Business Associate Agreements

In addition to document review, employers should evaluate their risk assessment and HIPAA training programs to confirm they are up to date with the recent changes to the law. These new regulations are generally effective September 23, 2013.