Group health plan sponsors need to take action soon to ensure compliance with the health information privacy, security, and breach notification rules under the Health Insurance Portability and Accountability Act (HIPAA).  The Department of Health and Human Services issued new regulations revising existing HIPAA requirements and implementing changes required by the Health Information Technology for Economic and Clinical Health Act earlier this year.  The compliance deadline for the regulations is September 23, 2013.

Plan sponsors need to take the following steps to ensure compliance.

  • Policies and Procedures.  HIPAA policies and procedures should be reviewed and updated as necessary to comply with the regulations.  Changes include enhanced individual rights to access protected health information (PHI) and request restrictions on disclosures of PHI.  Breach notification rules also must be revised.  
  • Notice of Privacy Practices.  The new regulations require notices of privacy practices to include the following:
    • a description of the types of uses and disclosures that require an authorization;  
    • a statement that genetic information may not be used for underwriting purposes; and  
    • a statement that affected individuals must be notified of a breach of unsecured PHI. The updated notice of privacy practices should be posted on the plan’s web site and distributed during open enrollment.
  • Business Associate Agreements.  The final regulations expand the definition of the term “business associate” and require additional provisions to be included in business associate agreements.  Plan sponsors need to determine whether any vendors not currently treated as HIPAA business associates must agree to a business associate agreement.  Business associate agreements need to be reviewed and updated.  The deadline for amending business associate agreements that were in effect on January 25, 2013 is September 23, 2014.  New business associate agreements or agreements that expire or are modified before September 23, 2014 should be revised as soon as possible.