If you haven’t focused on HIPAA lately, now is the time. On January 25, 2013, the Department of Health and Human Services issued final regulations implementing revisions to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a result of the extensive revisions to HIPAA made by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. (Click here for more information on the HITECH Act). These new regulations, known simply as the “Omnibus Regulations,” became effective March 23, 2013, and require all HIPAA-covered entities, including employer-sponsored group health plans, to update their HIPAA policies and procedures by September 23, 2013.
As described in our earlier post, “New Final Regulations Strengthen HIPAA Privacy and Security Rules,” these extensive Omnibus Regulations:
- expand the scope and impact of the Privacy and Security Rules on business associates;
- impose significant new restrictions on the use of protected health information (PHI);
- revise individual rights to reflect various HITECH Act requirements;
- implement new enforcement of the tiered penalty structure established by the HITECH Act;
- redesign the final HITECH Act breach notification rule; and
- include genetic information as in the definition of PHI.
If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations. Also, on or before September 23, 2013, your plan should update and reissue its Notice of Privacy Practices. Don’t forget that your privacy officer will need to arrange for updated training for all employees who may come into contact with protected health information on behalf of your health plans.
Finally, note that your business associate agreements also will require updating, but you have an extra year until September 23, 2014, to update those agreements that were in place when the Omnibus Regulations were issued in January. Any new business associates will need to execute agreements with the health plan which incorporate changes implemented by the new rules.
Please feel free to contact a member of the Ogletree Deakins employee benefits practice group for any compliance assistance you may need.
Stephanie A. Smithey is a shareholder in the Indianapolis office of Ogletree Deakins.