Who is this nemesis?
The Health Insurance Portability & Accountability Act – good ol’ HIPAA.
- Privacy & Security rules
- Protected Health Information (PHI)
- Rolled up in the ironically-named Administrative Simplification
If you are an employer that sponsors health plans, HIPAA has joined forces with the following to form the omnibus final rule.
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- The Genetic Information Non-Discrimination Act (GINA)
New rules – new deadlines.
The primary areas affected by the new rules include the following.
- Expanded individual rights for quicker response to requests for PHI, option for electronic copies, and disclosure restrictions placed on health care providers
- Prohibited sale of PHI without authorization of individual
- Further limits on use and disclosure of PHI related to marketing and fundraising
- New rules regarding PHI of decedents regarding disclosure to family members, individuals involved in care or payment, and establishes PHI is no longer protected 50 years after the death of the individual
- Major changes to business associates to expand the definition of business associate and sets direct liability for business associates and subcontractors for complying with certain privacy and security rules
- Enhances protection of genetic information under privacy regulations, including standards for health risk assessments
- Tightened breach language and notification requirements requiring notification for any unauthorized use or disclosure of PHI
- Increased penalties under enforcement related to non-compliance and based on the level of negligence
The above list is by no means exhaustive; however, the HIPAA foundation is the same.
The devil is in the details.
That’s something HR professionals are used to.
Generally, employers that self-insure health plans will have much more to do to comply than those employers with fully insured health plans.
In the case of fully insured health plans, the insurance company will be handling the lion’s share of compliance.
Remember, health plans are not only your medical plans. It includes, dental, vision, your Employee Assistance Program and more.
Check with your legal counsel on your specific health plans, and what you need to do to comply.
When Do You Need to Act?
Most of the new provisions must be in place by September 23, 2013.
There are some possible extensions for enacting revised Business Associate Agreements.
The U.S. Department of Health and Human Services (HHS) provides a Sample Business Associate Agreement Provisions.
In Free Stuff on this site, is a pdf document, HIPAA/HITECH 2013 Checklist for Employer Sponsors of Health Plans.
The checklist is a guide only on some of the tasks required by employer sponsors to comply with the new regulations.
Once again, it’s time for HR to roll up your legislative sleeves and tackle the giant HIPAA in the room.
Are you up to the task?
Notice of Disclaimer –Cathy Miller is not an attorney or health care provider and cannot provide legal or health care advice. The information provided is for your general background only, and is not intended to constitute legal or health care advice as to your specific circumstances. We recommend you review legislation with legal counsel and visit your physician for health care issues.