HIPAA Final Regulations

In January of this year, the Department of Health and Human Services issued final regulations (also referred to as the “Omnibus Rule”) that include changes to the privacy, security and breach notification rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and provide rules implementing the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”). The following are some of the changes included in the final regulations:

  • Expanding the definition of “business associates” to include any entity that creates, receives, maintains or transmits protected health information (PHI).
  • Business associates are now directly subject to the HIPAA and HITECH rules.
  • Modifying the breach notification rules to require disclosure of a breach unless the group health plan conducts a risk assessment demonstrating that there is a low probability that PHI has been compromised.
  • Tightening the restrictions on the use of PHI for marketing and fundraising activities.
  • Prohibiting the sale of PHI without individual authorization.
  • Restricting disclosures concerning treatment for which an individual has paid out-of-pocket in full.
  • Expanding individual rights to receive electronic copies of health information.

Generally, the final regulations are effective March 26, 2013. However, group health plans and other covered entities have until September 23, 2013, to update documents to comply with the final regulations. Business associate agreements (“BAAs”) are subject to a special transition rule. BAAs in place as of January 25, 2013, that are not modified between March 25, 2013, and September 23, 2013, will be deemed compliant until the earlier of (i) the date the BAA is renewed or modified, and (ii) September 22, 2014.

We have updated our model form documents in order to reduce the cost of the compliance for our clients and are available to assist you in updating your covered health plans’ HIPAA privacy and security policies and procedures, privacy notices and business associate agreements.

Health Care Reform


The Patient Protection and Affordable Care Act (PPACA) requires all employers subject to the Fair Labor Standards Act to provide employees with a notice regarding the public health insurance exchanges that are being established as part of health care reform. The Department of Labor has issued model notices to assist employers in meeting this notice obligation.

Use of the model notice will be considered good faith compliance with the notification requirement. Part A of the model notice includes general information about public health exchanges. Part B provides additional information specific to the employer’s group health plan that is not mandated by health care reform. We recommend that all employers review the model notices and carefully consider their options for complying with the notification requirements. We are available to assist in this process.

Employers must provide the notice to all existing employees, whether or not they are enrolled in the employer’s group health plan, no later than October 1, 2013. The notice must be provided upon hire to employees engaged on or after October 1, 2013. For 2014, the notice will be deemed timely if provided to new employees within 14 days of the date of hire. The notice may be hand delivered, supplied by “first class mail” or may be provided electronically in compliance with the DOL’s rules for electronic delivery.


The Department has also issued an updated COBRA notice that has been revised to include information about the public health insurance exchanges.


PPACA imposes a fee on self-funded group health plans and issuers of insured health insurance policies to fund the Patient-Centered Outcomes Research Institute (PCORI). The fee is effective for plan years ending on or after October 1, 2012, and before October 1, 2019, and is due no later than July 31 of the year following the last day of the plan year. For example, the 2012 PCORI fee for self-funded calendar year plans is due July 31, 2013. The IRS has modified Form 720 and the related voucher, Form 720-V, for use in remitting annual PCORI fees. It has also published related instructions.

U.S. Supreme Court Strikes Down DOMA

On June 26, 2013, the Supreme Court of the United States held that the Defense of Marriage Act (DOMA) is unconstitutional under the Fifth Amendment to the United States Constitution. We will provide analysis of the impact of this decision on employee benefits offered by employers in a future alert.