Employee Benefits Update - February 8, 2013
What Employers That Maintain Group Health Plans Need to Know About the HIPAA Omnibus Regulations
by Denise L. Atwood
On January 25, 2013, the Department of Health and Human Services (HHS) published final regulations that modify the Privacy, Security, Enforcement and Breach Notification Rules issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations, referred to as “Omnibus Rules,” implement many of the changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was part of the American Recovery and Reinvestment Act of 2009.
The Omnibus Rules are effective on March 26, 2013, and covered entities (i.e., health plans, health care providers and health care clearinghouses) and business associates generally have 180 days from then (i.e., September 23, 2013) to comply with the new requirements. Transition rules apply to business associate agreements in existence prior to January 25, 2013, providing covered entities and business associates an additional year to bring such agreements into compliance unless the agreement is renewed or modified prior to September 23, 2013.
Summary of Action Items for Employers That Sponsor Group Health Plans
Employers that sponsor group health plans that are subject to HIPAA’s Privacy and Security Rules have a short period of time to familiarize themselves with the changes made by the Omnibus Rules and make sure that they comply with the new requirements. Plan sponsors should consider taking the following steps:
• Review and revise the group health plan’s HIPAA policies and procedures to comply with all of the changes required under the Omnibus Rules.
• Review and revise the plan’s privacy notice to incorporate the new disclosure requirements and redistribute the notice in accordance with the new guidelines.
• Revise forms utilized by individuals to exercise their privacy rights to address changes made by the Omnibus Rules.
• Review whether the plan engages in any marketing practices that will be subject to prior authorization requirements.
• Review whether the plan needs to enter into business associate agreements with service providers who provide data transmission of electronic PHI or store PHI, or vendors who allow the group health plan to offer personal health records.
• Amend business associate agreements to comply with the changes under the Omnibus Rules.
The Omnibus Rules make a number of significant changes, including changes to the breach notification standard, business associate liability, marketing requirements, individual access rights and privacy notice disclosures. For more information about the changes, read the full newsletter.