The Health Insurance Portability and Accountability Act of 1996 (HIPAA) treats an employer-sponsored group health plan as a “covered entity” that must comply with the Privacy and Security Rules, which originally became effective April 23, 2003. The Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009, made significant changes to the HIPAA Privacy and Security Rules. Early this year, the Department of Health and Human Services issued final regulations under HITECH, which requires most employer-sponsored group health plans to update their HIPAA Privacy and Security compliance materials no later than September 23, 2013.

Changes made by HITECH and the final regulations include notice obligations in the event of prohibited disclosures of protected health information; compulsory obligations and liabilities of business associates and their subcontractors; modified disclosure requirements under the notice of privacy practice; enhanced individual rights regarding access to, accounting of, and restrictions on protected health information; limitations on use of genetic information for underwriting purposes; revised provisions relating to sale or marketing of protected health information; and compliance and enforcement changes by the Department of HHS.

The level of responsibility and HIPAA compliance efforts may vary from one employer to the next depending on the employer’s group health plan design (such as the funding mechanism as a fully-insured arrangement through an insurance carrier or self-insured arrangement through the employer’s general assets) and/or the level of employer involvement in administering the plan and thus receiving and maintaining protected health information about plan participants. At a minimum, we recommend that all employers sponsoring a group health plan have a discussion with their attorney or other advisor to determine what action they should take to ensure compliance with HITECH and the final regulations. This action may include formally amending the health plan document and employer certification, revising the plan’s HIPAA written policies and procedures and notice of privacy practice, entering into new business associate agreements with plan vendors and holding new training session for its workforce members regarding the new rules.