Publication

Employee Benefits Update – What Employers That Maintain Group Health Plans Need to Know About the HIPAA Omnibus Regulations

Feb 08, 2013

What Employers That Maintain Group Health Plans Need to Know About the HIPAA Omnibus Regulations

by Denise L. Atwood

On January 25, 2013, the Department of Health and Human Services (HHS) published final regulations that modify the Privacy, Security, Enforcement and Breach Notification Rules issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The regulations, referred to as “Omnibus Rules,” implement many of the changes made by the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was part of the American Recovery and Reinvestment Act of 2009.
The Omnibus Rules are effective on March 26, 2013, and covered entities (i.e., health plans, health care providers and health care clearinghouses) and business associates generally have 180 days from then (i.e., September 23, 2013) to comply with the new requirements. Transition rules apply to business associate agreements in existence prior to January 25, 2013, providing covered entities and business associates an additional year to bring such agreements into compliance unless the agreement is renewed or modified prior to September 23, 2013.
 

Summary of Action Items for Employers That Sponsor Group Health Plans
Employers that sponsor group health plans that are subject to HIPAA’s Privacy and Security Rules have a short period of time to familiarize themselves with the changes made by the Omnibus Rules and make sure that they comply with the new requirements. Plan sponsors should consider taking the following steps:

• Review and revise the group health plan’s HIPAA policies and procedures to comply with all of the changes required under the Omnibus Rules.
• Review and revise the plan’s privacy notice to incorporate the new disclosure requirements and redistribute the notice in accordance with the new guidelines.
• Revise forms utilized by individuals to exercise their privacy rights to address changes made by the Omnibus Rules.
• Review whether the plan engages in any marketing practices that will be subject to prior authorization requirements.
• Review whether the plan needs to enter into business associate agreements with service providers who provide data transmission of electronic PHI or store PHI, or vendors who allow the group health plan to offer personal health records.
• Amend business associate agreements to comply with the changes under the Omnibus Rules.

The Omnibus Rules make a number of significant changes, including changes to the breach notification standard, business associate liability, marketing requirements, individual access rights and privacy notice disclosures. For more information about the changes, read the full newsletter.

About Snell & Wilmer

Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 16 locations throughout the United States and in Mexico, including Los Angeles, Orange County and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.

©2025 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.
Media Contact

Olivia Nguyen-Quang

Associate Director of Communications
media@swlaw.com 714.427.7490