The Health Insurance Portability and Accountability Act of 1996 (HIPAA) treats an employer-sponsored group health plan as a “covered entity” that must comply with the act’s Privacy and Security Rules, which originally became effective April 23, 2003. The Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009, made significant changes to the HIPAA Privacy and Security Rules. Early this year, the Department of Health and Human Services issued final regulations under HITECH (the “Final Rule”), which requires most employer-sponsored group health plans to update their HIPAA Privacy and Security compliance materials.

Changes made by HITECH and the Final Rule include notice obligations in the event of prohibited disclosures of protected health information; compulsory obligations and liabilities of business associates and their subcontractors; modified disclosure requirements under the notice of privacy practice; enhanced individual rights regarding access to, accounting of, and restrictions on protected health information; limitations on use of genetic information for underwriting purposes; revised provisions relating to sale or marketing of protected health information; and compliance and enforcement changes by the Department of HHS.

There are certain fundamental steps that covered entities should take to make sure that they will be in compliance. These measures include the following:

1. Update Notices of Privacy Practices (“NPPs”). The Final Rule requires changes to be made to covered entities’ NPPs. These include: (a) describing uses and disclosures of protected health information (“PHI”) for which an authorization is required from the patient (such as sale of PHI, uses and disclosures for marketing purposes, or disclosure of psychotherapy notes); (b) stating that any uses or disclosures not described in the NPP require the patient’s authorization; (c) the right of a patient to restrict certain disclosures of PHI to a health plan where the individual pays for the service in full, out-of-pocket (i.e., if an individual pays out-of-pocket in full for a specific item or service, that individual has the right to ask that his PHI with respect to that item or service not be disclosed to a health plan for purposes of payment or health care operations); and (d) informing patients of their right to be notified in the event of a breach of unsecured PHI. Covered entities that post their notices on their websites must post the revised notice by September 23, 2013 and include it in the next mailing to participants. Covered entities that do not post their notices on their websites must distribute the notice by November 23, 2013. 
2. Update Business Associate Agreements. The Final Rule created additional requirements for what constitutes a valid Business Associate Agreement. A Business Associate Agreement must include the following: (a) business associates must comply with the HIPAA Security Rule; (b) business associates must report any breaches of unsecured PHI to covered entities; (c) business associates must ensure that any subcontractors that create or receive PHI agree to the same restrictions and conditions as the business associate; and (d) business associates are required to comply with the HIPAA Privacy Rule to the extent they are carrying out the covered entity’s obligations. Covered health plans are not required to update their existing business associate agreements until September 22, 2014.  Important to note: Business Associate Agreements that are renewed between January 25, 2013 and September 23, 2013 must be revised to comply with the Final Rule by September 23, 2013.  If a Business Associate Agreement renews after September 23, 2013, the Business Associate Agreement must comply by the earlier of (a) the date of the Business Associate Agreement’s renewal, or (b) September 22, 2014.
   
3. Update breach response policies. The Final Rule changed the definition of “breach” as well as the risk assessment that must be undertaken to determine if there has been a breach. An impermissible access, use, or disclosure of PHI is now more likely to be considered a “breach,” which would necessitate notification to the individual, HHS, and possibly the media. Breach response policies should reflect the new standards. 
4. Review and update your HIPAA Manual. The Final Rule made numerous changes to the HIPAA Privacy Rule. The changes include revisions to marketing rules involving PHI, new standards relating to the sale of PHI, increased ability of patients to restrict disclosures of PHI, and changes to standards involving access to electronic medical records by patients. These new provisions should be reflected in HIPAA policy and procedure manuals. 
5. Educate employees. Simply changing policies and procedures is not enough. Employees who handle PHI must be made aware of the revised standards and understand the new policies. With these many changes, it is a good idea to provide HIPAA training to employees handling PHI. 
6. Update Plan and Summary Plan Description. Plan terms regarding HIPAA privacy must be amended, and any description of the HIPAA privacy rules in a Summary Plan Description or benefits booklet must be reviewed to determine whether updates are needed. 
7. Update forms and processes. Updates may need to be applied to authorization forms for release of health information, the process for complying with participant requests for restrictions on the use of PHI that are now allowed, and the process for providing electronic copies of PHI if requested. 

For further information or assistance on how to comply with the above requirements, please contact any member of our Employee Benefits Practice Group.