Earlier this year, the Department of Health and Human Services ("HHS") issued the long-awaited final regulations (regulations available here; Healthcare Practice Group alert available here) modifying the Health Insurance Portability and Accountability Act’s privacy and security rules (collectively "HIPAA"). The modifications included rules pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act") and the Genetic Information Nondiscrimination Act of 2008 ("GINA"). In general, HIPAA covered entities must comply with the new rules in operation beginning September 23, 2013.
Below is a list of action items for employers that sponsor group health plans that are considered HIPAA covered entities, including self-insured group health plans (which include most healthcare flexible spending accounts and health reimbursement arrangements).
- Notice of Privacy Practices: HIPAA requires covered entities to maintain and periodically distribute a notice of privacy practices. The new rules require several additions to the notice. If you post your notice on a website that is maintained for your group health plan, the revised notice must be posted by September 23, 2013, and you must include the revised notice in the next annual mailing to plan participants (e.g., open enrollment mailing). If you do not post your notice on a website that is maintained for your group health plan, you must provide the revised notice to plan participants by November 22, 2013.
- Policies and Procedures: HIPAA requires covered entities to maintain and implement policies and procedures that are designed to comply with the privacy and security rules. The new rules require several modifications to your HIPAA policies and procedures, including with respect to breach notification. While the new rules do not provide an explicit deadline for updating your policies and procedures, the best practice is to update your policies and procedures prior to the September 23, 2013 operational compliance effective date.
- Workforce Training: HIPAA requires covered entities to provide training on the HIPAA policies and procedures for all members of their health plan workforce. Since the new rules will require several material modifications to your HIPAA policies and procedures, you are required to timely re-train health plan workforce members on the revised HIPAA policies and procedures. Emphasis should be placed on training workforce members to identify and report breaches of unsecured protected health information in a timely manner. Bass, Berry & Sims employee benefits attorneys are available to provide on-site or remote HIPAA training to your health plan workforce members.
- Business Associate Agreements: HIPAA requires covered entities to enter into a HIPAA-compliant business associate agreement with each of the health plan’s business associates (i.e., an entity that performs services for the health plan and has access to protected health information). You will need to amend or restate your business associate agreements to reflect the new rules. HHS provided transition relief that delays the deadline to amend an existing business associate agreement for up to one year beyond the general operational compliance effective date of September 23, 2013, provided (i) the agreement was effective prior to January 25, 2013 and compliant with the HIPAA rules that were in effect as of that date, and (ii) the agreement will not be modified or renewed from March 26, 2013 until September 23, 2013. An existing business associate agreement that meets these requirements will be deemed compliant with the new rules until the earlier of the date the agreement is renewed or modified, or September 22, 2014.
Now is the time for employers to refocus on HIPAA and prepare for an audit by HHS. As required by the HITECH Act, the new rules strengthen HIPAA’s enforcement provisions, including through increased civil penalties for violations. In addition, HHS completed a 12-month HIPAA audit pilot program in 2012 that is expected to be the precursor to a permanent audit program.