Earlier this year, the Department of Health and Human Services (HHS) issued the final privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA). The final regulations make a number of changes to the rules regarding business associates, breach notification, and enforcement. Generally, employer group health plans need to comply with the final regulations by September 23, 2013. Plans that are not in compliance could face penalties for each violation that range from a minimum of $100 to a maximum of $1.5 million, with the largest penalties applying to violations involving willful neglect.
To comply with the final regulations, employers should take the following actions:
- Notice of Privacy Practices – Revise existing Notice of Privacy Practices to incorporate new disclosure requirements. The notice should be revised to include notification that individuals will be notified upon a breach of unsecured PHI, written authorization is required when PHI is sold or used for marketing purposes, and that PHI containing genetic information may not be used for underwriting purposes. Employers should post the revised notice on the group health plan’s website by September 23, 2013 and distribute the revised notice with open enrollment materials.
- Business Associate Agreements – Review plan providers and determine whether any providers are now business associates under the final rule’s expanded definition of business associate. For example, under the new rules PHI data transmission service providers, providers that require routine access to PHI, shredding companies, and providers that maintain or store PHI are now business associates. In addition, employers should assure plans should enter into a compliant business associate agreement (BAA) with all business associates. Employers should assure plans enter into compliant business associate agreements with all new business associates by September 23, 2013 and update all business associate agreements that existed prior to January 25, 2013 (and do not expire or renew and are not otherwise modified) no later than September 23, 2014.
- HIPAA Policies and Procedures – Review and revise existing HIPAA policies and procedures to comply with changes required under the final regulations. Any update should reflect changes to the breach notification procedures (which now presume a breach of unsecured PHI has occurred unless the plan or business associate can demonstrate that the chance the PHI has been compromised is low), expansion of individual rights, expanded restrictions on marketing and sale of PHI, and the prohibition on use of PHI for underwriting purposes.
- Training – Provide workforce training on all new policies and procedures. Training should focus on the changes to the breach notification procedures.
Employers should take the steps outlined above, but additional action is necessary to be in full compliance with the new regulations.
Employers need to take many steps to be in compliance with the new HIPAA regulations, the first being the updated notice of privacy practices.