We're celebrating 10 Days of Membership! Today's Gift: $20 off your professional membership with promo 10DAYS20OFF
Training, policies and tools to help HR prevent and respond to harassment claims.
Is your employee handbook keeping up with the changing world of work? With SHRM's Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Develop your HR competencies and knowledge in-person in 12 U.S. cities or virtually.
#SHRM18 will expand your perspective – on your organization, on your career, and on the way you approach HR. Join us in Chicago June 17-20, 2018
The open enrollment to-do list of employee notices and important messages to deliver, which was already lengthy, has gotten longer. Now added to these annual tasks are more Health Insurance Portability and Accountability Act (HIPAA) procedures, required by final regulations that the Department of Health and Human Services (HHS) issued in January 2013.
HIPAA's privacy rule established a set of national standards to protect certain health information. This rule applies to covered entities (health plans, health care clearinghouses and health care providers that transmit health information in electronic form). The Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act in 2009, gave HIPAA teeth by requiring notification of, and imposing significant penalties for, unauthorized acquisition, access, use or disclosure of protected health information. In 2008 the Genetic Information Nondiscrimination Act (GINA) extended privacy protection to genetic information, disallowing its use for underwriting purposes and employment decisions.
omnibus final regulation comprises four final rules that make HITECH and GINA taxing—literally, in the form of penalties. The final rules went into effect on March 26, 2013. Covered entities and business associates were given 180 days or until Sept. 23, 2013, to comply with most of the final regulations.
A transition period is available until sept. 23, 2014, for covered entities and business associates to amend their agreements to comply with the new requirements; at that time, all business associate agreements must be updated as necessary to reflect the Omnibus Rule requirements. However, covered entities and business associates must meet all other HIPAA requirements by Sept. 23, 2013.
The first rule modifies HIPAA privacy, security and enforcement rules mandated by HITECH. Specifically, it:
The second rule finalizes the 2009 interim civil monetary penalty structure for noncompliance. These penalties apply to breaches that occurred on or after Sept. 23, 2009.
The third rule finalizes a more objective standard of the HITECH breach notification rule’s “harm” threshold. Essentially, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies). Covered entities have the burden of proving that an impermissible use or disclosure did not constitute a breach.
The fourth rule finalizes modifications to the HIPAA privacy rule, as required by GINA. This rule excludes long-term-care plans from the underwriting prohibition; however, such plans are subject to the Privacy Rule.
Steps to Take
Plan sponsors need to make sure their health plans (self-funded or fully insured) complete action items to achieve compliance. These items include the following steps:
Distributing the Revised Notice
"Because HHS has determined that this new language constitutes a material change to the notice, employers that maintain a benefits website are required under the HIPAA Privacy Rule to (a) post the revised notice on their benefits website by the Omnibus Final Rule's compliance deadline of Sept. 23, 2013; and (b) distribute the revised policy to the named insured in its next annual mailing to plan participants," wrote Philip Gordon, chair of the privacy and data protection practice group at law firm Littler Mendelson, in BNA’s
Privacy & Security Law Report,
reposted on Littler's website.
"Employers that do not maintain a benefits website must distribute the revised notice within 60 days of the material revision to the notice. If this group of employers waits until Sept. 23, 2013, for their revised notice to become effective, then distribution of the notice by Nov. 22, 2013, should coincide with their open enrollment season. Employers can distribute the revised privacy notice by email as long as the named insured agrees to electronic delivery," Gordon noted.
The Department of Health and Human Services has
posted additional information about the HIPAA privacy rule and the notice requirements, including
model notice language.
Privacy protection is a hot-button issue. Enforcement is mandatory through the Office of Civil Rights within the HHS. Fines for willful neglect are significant, with virtually no cap, since fines apply per violation, not per year.
Leanne Fosbre is the senior compliance writer at
HighRoads, a provider of health care compliance and benefits plan management services.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Five key facts about High-energy visible (HEV) a.k.a. “blue light”
Refer a Friend to SHRM
SHRM’s HR Vendor Directory contains over 3,200 companies