The Department of Health and Human Services (“HHS”) has issued additional requirements for covered entities that maintain protected health information or contract with a business associate for health plan-related services.
There are a number of technical changes made by the new guidance. The more significant changes are as follows:
- The extension of the privacy and security rules to vendors employed by business associates.
- Changes to the rule that make it more likely that notice of security breach will need to be provided to plan participants.
- Clarification as to the use of and disclosure of genetic information that will impact wellness programs.
- Agreements with business associates will need to be revised to reflect the obligations required by the new rules. A sample agreement issued by HHS is available for use.
- These new rules take effect on September 23, 2013, with the possibility that business associate agreements will not need to be revised until September 23, 2014.
Takeaways: Employers will need to review and, likely, revise their privacy and security policies and procedures to comply with these new rules. More detailed information will be provided at our April 9th seminar titled, “Safeguarding Employers in 2013.” The seminar invitation can be found here.