The deadline for compliance with the new HIPAA Omnibus Rule is looming for group health plans.  As explained in a prior blog, stiff penalties may be imposed on employers whose plans fail to comply.  Accordingly, employers should begin now to ensure timely compliance and avoid costly mistakes.

As a general matter, group health plans must comply with the final regulations no later than September 23, 2013.  Below is a checklist of action items to assist employers in this effort:

  1. Review and revise HIPAA policies and procedures to comply with all changes prescribed under the Omnibus Rule, including risk assessment procedures, timely notification for breaches, and prohibitions related to the use or disclosure of genetic information.
  2. Review and revise the Notice of Privacy Practices to incorporate the new disclosure requirements and redistribute to participants in accordance with prescribed guidelines.
  3. Revise authorization and other forms utilized by participants to exercise privacy rights to incorporate changes prescribed under the Omnibus Rule.
  4. Determine whether the group health plan engages in any marketing practices that are subject to authorization requirements and, if applicable, adopt procedures for obtaining authorizations.
  5. Review and revise business associate agreements to comply with all changes prescribed under the Omnibus Rule, including breach notification requirements.
  6. Review mitigation and indemnification provisions of business associate agreements to ensure protection for actions of agents.
  7. Schedule training session with plan administrative staff and communicate changes and protocol to all relevant personnel.
  8. Determine effect of state law on HIPAA policies and procedures.

While the Omnibus Rule contains a transition period through September 23, 2014 to revise many business associate agreements, I recommend that employers amend existing business associate agreements now to ensure that the parties are aware of their responsibilities.  Specifically, it is imperative that the business associate agreement describe which party will be responsible for ensuring compliance with the breach notification requirements (which are greatly expanded under the Omnibus Rule and will be effective as of September 23, 2013, regardless of the terms of your business associate agreement).  Under these circumstances, delay may be the most costly form of denial!