More HIPAA Regulations - Are You Ready?

The American Recovery and Reinvestment Act of 2009 passed in February included new provisions to the Health Insurance Portability and Accountability Act (“HIPAA”).  While most of the changes are scheduled to take effect in February 2010, the new notification rules (see below) will begin this September.  For employers, the new rules may add both a greater HR administrative burden and a greater risk of privacy-related lawsuits.  In addition, this administration advocates a bigger push towards enforcement, on both state and federal levels.

Key changes to the law include:

· Employers and/or health plans must notify individuals and the Health and Human Services Department about any security breach where protected health information has been accessed, disclosed or acquired.  This notification requirement applies to electronic and paper information.

· The notification must be sent within 60 days of the discovery of the breach.  It must be sent by first-class mail, unless the affected person has indicated a preference for email.  If the mailing addresses are out-of-date, the employer and/or health plan must post a notice about the break on its website.  If the breach involves protected health information for more than 500 people, the employer and/or health plan must notify prominent media outlets in the local area.  The notice should discuss the facts surrounding the privacy breach, the types of information that were involved in the breach and the steps that individuals should take to protect themselves.

· Business associates, such as third-party administrators, consultants, actuaries, attorneys, pharmacy benefit managers, wellness program vendors and disease management vendors, must notify the employer and/or health plan when a privacy breach has occurred.  Civil and criminal penalties can apply to these business associates as well.  The new HIPAA provisions must be incorporated into employers’ and health plans’ contracts with business associates.

· The penalties for HIPAA privacy violations have been raised.  Depending on the circumstances, penalties range from $100-$50,000 for each violation, up to a total of $1.5 million.

· State attorneys general can now bring lawsuits in federal court on behalf of state residents who were impacted by a privacy breach.

Because of the expectation of increased enforcement, this is a good time to re-evaluate HIPAA compliance procedures.  Additionally, employers should review their liability insurance to determine whether changes are needed to obtain coverage for potential HIPAA violations.

From Employee Benefit News, May 2009 issue, pp. 1 and 73.