Are Your HIPAA Privacy Policies Up to Date?

Are Your HIPAA Privacy Policies Up to Date?

If you haven’t focused on HIPAA lately, now is the time. On January 25, 2013, the Department of Health and Human Services issued final regulations implementing revisions to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a result of the extensive revisions to HIPAA made by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. (Click here for more information on the HITECH Act). These new regulations, known simply as the “Omnibus Regulations,” became effective March 23, 2013, and require all HIPAA-covered entities, including employer-sponsored group health plans, to update their HIPAA policies and procedures by September 23, 2013.

As described in our earlier post, “New Final Regulations Strengthen HIPAA Privacy and Security Rules,” these extensive Omnibus Regulations:

  • expand the scope and impact of the Privacy and Security Rules on business associates;
  • impose significant new restrictions on the use of protected health information (PHI);
  • revise individual rights to reflect various HITECH Act requirements;
  • implement new enforcement of the tiered penalty structure established by the HITECH Act;
  • redesign the final HITECH Act breach notification rule; and
  • include genetic information as in the definition of PHI.

If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations. Also, on or before September 23, 2013, your plan should update and reissue its Notice of Privacy Practices. Don’t forget that your privacy officer will need to arrange for updated training for all employees who may come into contact with protected health information on behalf of your health plans.

Finally, note that your business associate agreements also will require updating, but you have an extra year until September 23, 2014, to update those agreements that were in place when the Omnibus Regulations were issued in January. Any new business associates will need to execute agreements with the health plan which incorporate changes implemented by the new rules.

Please feel free to contact a member of the Ogletree Deakins employee benefits practice group for any compliance assistance you may need.

Stephanie A. Smithey is a shareholder in the Indianapolis office of Ogletree Deakins.

- See more at: http://blog.ogletreedeakins.com/are-your-hipaa-privacy-policies-up-to-date/#sthash.Ht68Aevr.dpuf

If you haven’t focused on HIPAA lately, now is the time. On January 25, 2013, the Department of Health and Human Services issued final regulations implementing revisions to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a result of the extensive revisions to HIPAA made by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. (Click here for more information on the HITECH Act). These new regulations, known simply as the “Omnibus Regulations,” became effective March 23, 2013, and require all HIPAA-covered entities, including employer-sponsored group health plans, to update their HIPAA policies and procedures by September 23, 2013.

As described in our earlier post, “New Final Regulations Strengthen HIPAA Privacy and Security Rules,” these extensive Omnibus Regulations:

  • expand the scope and impact of the Privacy and Security Rules on business associates;
  • impose significant new restrictions on the use of protected health information (PHI);
  • revise individual rights to reflect various HITECH Act requirements;
  • implement new enforcement of the tiered penalty structure established by the HITECH Act;
  • redesign the final HITECH Act breach notification rule; and
  • include genetic information as in the definition of PHI.

If you provide medical, dental, vision, wellness, employee assistance benefits, or if you sponsor a health reimbursement arrangement or a health flexible spending account plan, your HIPAA privacy compliance is likely out of date and should be reviewed immediately in light of the Omnibus Regulations. Also, on or before September 23, 2013, your plan should update and reissue its Notice of Privacy Practices. Don’t forget that your privacy officer will need to arrange for updated training for all employees who may come into contact with protected health information on behalf of your health plans.

Finally, note that your business associate agreements also will require updating, but you have an extra year until September 23, 2014, to update those agreements that were in place when the Omnibus Regulations were issued in January. Any new business associates will need to execute agreements with the health plan which incorporate changes implemented by the new rules.

Written by:

Published In:

HHS

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ogletree, Deakins, Nash, Smoak & Stewart, P.C. | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.
×
Loading...
×