Who Must Comply?

Employers that provide self-funded benefits to their employees must comply with the HIPAA privacy rules. Self-funded health plans include major medical plans with claims paid from employer assets and stop loss coverage, medical flexible spending account plans, employee assistance plans, wellness programs, and self-funded vision or dental coverage. Fully-insured plans are not required to comply with the majority of the HIPAA privacy provisions as long as the employer only receives eligibility information from the insurance carrier. There is also an exemption from many of the compliance obligations for self-funded plans with fewer than 50 participants where the employer processes all claims, but plans meeting this exemption are rare.


January 25, 2013: Long-awaited final regulations on HIPAA privacy rules were issued by U.S. Department of Health and Human Services (HHS).

March 26, 2013: New regulations become effective. Employer personnel responsible for privacy compliance should be notified of the changes now, and should receive additional training once the employer's compliance plans are updated for the new guidance.

September 23, 2013. Deadline for most action items. Employers must be in compliance with the new regulations by this date, but have a grace period until September 2014 for amending business associate agreements that were in place as of January of this year, if not changed before then in some other fashion.

What are the Action Items?

Employers will need to begin work now to ensure compliance by the September 2013 deadline. Here are the action items:

  1. Identify Business Associates – The final regulations expand the definition of business associate to include a vendor that creates, maintains, receives or transmits protected health information (PHI) provided to or from the plan. So, for example, providers of cloud storage of data now are now considered business associates even if the data is never accessed by the provider. Employers must identify all of the contractors that may maintain, transmit or have access to any health information provided to or from the plan. Typical providers include: Claims processor, insurance broker, stop loss carrier, accountant, attorney, IT provider, janitorial provider, and cloud storage provider.
  2. Update Business Associate Agreements – A business associate agreement (BAA) must be in place between the plan and each business associate. A business associate must in turn have a BAA with each of its subcontractors that might come in contact with PHI related to the plan. A BAA is intended to provide written satisfactory assurances to the plan that the business associate will appropriately safeguard the PHI just as the plan is required to do. While certain HIPAA privacy and security requirements are directly applicable to business associates, employers can be assessed penalties for violations by its service providers, so BAA provisions should be carefully drafted to limit risk to employers. BAAs must be updated by September 23, 2013, or, if a BAA was in place with a service provider on January 25, 2013, the deadline is September 23, 2014 or any earlier date when the BAA is amended. Plans and business associates must comply with the new privacy rules now even though the BAA has not yet been amended.
  3. Update Written Privacy Policy – The employer's written privacy policy must be updated to reflect the new rules on business associates, new rules on disclosures for marketing and fundraising, disclosure of information to participants, and the procedure for addressing breaches (disclosures in violation of the privacy rules). Plans should also re-evaluate the security of physical and electronic PHI and document that evaluation as well as the procedures determined necessary to protect the confidentiality of information.
  4. Update and Distribute Notice of Privacy Practices – A self-insured employer group health plan or an insurer of a fully-insured employer group health plan is required to provide a Notice of Privacy Practices to plan participants. This Notice must be revised and distributed to plan participants. If the Notice is posted on a website, the revised Notice must be posted by September 23, 2013. Otherwise, the Notice must be revised for distribution to new participants enrolling after September 23, 2013 and provided to current participants no later than November 22, 2013.
  5. Update Plan and SPD – Plan terms regarding HIPAA privacy must be amended, and any description of the HIPAA privacy rules in an SPD or benefits booklet must be reviewed to determine whether updates are needed.
  6. Train Workforce -- Individuals who could need access to PHI should be trained on the HIPAA privacy rules and the employer's policy and procedures, and in particular, the rules for addressing any improper disclosure, which are often referred to as the breach rules.
  7. Update forms and processes – Authorization forms for release of health information may need updates, as well as the process for complying with participant requests for restrictions on the use of PHI that are now allowed, and for providing electronic copies of PHI if requested.


New HIPAA breach penalties are higher, and HHS has been aggressive in its enforcement efforts. Penalties are measured by individuals involved in each improper disclosure. Penalties begin at $100 per violation, where the employer did not know and would not have known of the violation by exercising reasonable diligence. Penalties increase to $1,000 per violation where there is reasonable cause. In each case, HHS has the discretion to assess as much as $50,000 per violation. Penalties increase to $10,000 to $50,000 per violation if there is willful neglect but the violation is corrected within 30 days from when the violation was discovered or should have been discovered using reasonable diligence. Penalties are $50,000 per violation that is determined to be due to willful neglect that is not timely corrected. For all penalties for any tier, the aggregate in any one calendar year will not exceed $1,500,000