HIPAA Healthcare Reform - Prompt Attention Needed to Address Upcoming 2013 Deadlines

by Sherman & Howard L.L.C.

2013 has already been a busy year for employers with group health plans who are trying to navigate the Affordable Care Act and its immediate implications for employee benefits.  However, there are other, less talked about but equally important, deadlines to address for Fall 2013 under federal law (including the Affordable Care Act).  For a complete list of the 2013 and 2014 deadlines, please see our previous Client Advisory titled "2013 and 2014 under the Affordable Care Act". That Advisory can be accessed by clicking here.

The Health Insurance Portability and Accountability Act/Health Information Technology for Economic and Clinical Health Act Omnibus Rules ("HIPAA/HITECH")

In January, 2013, the long awaited HIPAA/HITECH Final Rule ("the Final Rule") was issued.  While the effective date of the Final Rule was March 26, 2013, the actual compliance date for most of the Rule's provisions is September 23, 2013. The Final Rule made significant changes to the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule, and will require group health plans ("covered entities") (and the plan sponsors that maintain them) to take immediate action to remain in compliance.  While the term "covered entity" for purposes of HIPAA includes health plans, health care providers, and health care clearinghouses, this Client Advisory will address only the HIPAA requirements for health plans.  Additionally, for employers that sponsor a fully-insured health plan, many of the requirements discussed below will be taken care of by the plan's insurer.  However, employers of fully-insured health plans will want to confirm with their insurers that all of the new provisions (including providing notices where applicable) are addressed.  While the Final Rule will affect each covered entity differently, below is a summary of the most common changes applicable to covered entities and employers.

  1. Expanding the Definition of Business Associates

    The Final Rule broadened the definition of a business associate to include subcontractors, health information organizations, entities that offer a personal health record to individuals on behalf of a covered entity, and other entities that provide data transmission services for covered entities and that require access on a routine basis.  With this expanded definition, plan sponsors should be sure that their group health plans have an updated business associate agreement in place with all business associates.

    The Final Rule also provides a list of HIPAA Privacy and Security Rule requirements that apply directly to business associates, including the obligation to:

    A)    maintain detailed records of uses or disclosures of protected health information ("PHI") to be produced upon request;

    B)    provide an electronic copy of PHI to covered entities or individuals upon request;

    C)    enter into business associate agreements with subcontractors that   create or receive PHI on their behalf; and

    D)    make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.

    As many of these new requirements were not traditionally thought to apply to business associates, business associate agreements will need to be amended to comply with the new provisions.  While new business associate agreements must be amended by September 23, 2013, the Final Rule provides that business associate agreements currently in place do not need to be updated to comply with the new requirements until the earlier of: (1) the next renewal after September 23, 2013, or (2) September 23, 2014.  It is important for covered entities to ensure that their business associate agreements are updated, and that business associates are adhering to the new requirements as the Final Rule makes clear that covered entities may be held liable vicariously for violations by business associates acting as agents.
  2. Breach Notification Obligations

    In the Breach Notification Rule, the Final Rule adopted a new definition of "breach", under which any impermissible use or disclosure of PHI is presumed to be a breach for which breach notification is required, unless the covered entity can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised.

    This new Breach Notification Rule replaces the "harm standard", which had previously allowed covered entities to avoid breach notification if they could demonstrate that the breach posed no significant risk of harm to the affected individual.  The new, more stringent standard provides factors that must be used in the risk assessment.  These factors include:

    A)    the nature and extent of the PHI involved (including the types of PHI and the likelihood of re-identification);

    B)    the unauthorized person who used the PHI or to whom the disclosure was made;

    C)    whether the PHI was actually acquired or viewed; and

    D)    the extent to which the risk to the PHI has been mitigated.

    If a covered entity is unable to prove through the risk assessment that there is a low probability that PHI was compromised, it must provide breach notification to the affected individuals without unreasonable delay and in no event later than sixty days following discovery of the breach.  This is important for covered entities to remember when drafting business associate agreements, as the breach notification obligations belong solely to the covered entity and, generally, the date from which a business associate discovers a breach will be imputed to the covered entity.  Therefore, covered entities will want to make sure that they receive information as soon as possible from business associates to give the covered entity enough time to act.
  3. Restriction on the Marketing and Sale of PHI

    The Final Rule requires written authorization from individuals if the covered entity will receive direct or indirect remuneration from a third party whose product or service is being marketed.  The Final Rule also prohibits the disclosure of PHI without written authorization from an individual, except where the disclosure is made:

    A)     for public health purposes;

    B)      for certain research purposes;

    C)      for treatment and payment purposes; or

    D)     as required by law.
  4. Notice of Privacy Practices

    The Final Rule requires several changes to the Notice of Privacy Practices which must be distributed to individuals.  These changes include disclosures regarding:

    A)     the use of psychotherapy notes;

    B)      restrictions on the disclosure of PHI for marketing purposes;

    C)      restrictions on the sale of PHI;

    D)     required authorizations for disclosure of PHI;

    E)      breach notifications; and

    F)      an individual's right to restrict access to their PHI.

    The Final Rule requires that the updated Notice of Privacy Practices be posted on the covered entity's website, and included in the covered entity's first annual mailing following September 23, 2013.  If the covered entity does not maintain a website, the notice must be mailed within 60 days of the September 23, 2013 deadline (by December 22, 2013).  Covered entities will need to update their Notice of Privacy Practices to comply with the Final Rule, and take the proper steps to distribute the Notice to participants by the deadline.
  5. Implement provisions of the Genetic Information Nondiscrimination Act ("GINA")

    The Final Rule revises the definition of "health information" that must be protected to include genetic information such as an individual's genetic tests, the genetic tests of family members, and family medical history.  The Final Rule clarifies that covered entities may not use or disclose genetic information when it qualifies as PHI except as the privacy rule permits or requires, or the individual has authorized such use in writing.  This prohibition on the use of genetic information extends to underwriting purposes.  Covered entities should review their PHI policies and procedures to ensure compliance with these rules.
  6. Increased Rights for Individuals Regarding Access to Their PHI

    The Final Rule allows individuals to request a restriction on the uses and disclosures of their PHI if the disclosure is for the purpose of carrying out payment or health care operations not otherwise required by law, and the PHI pertains solely to a health care item or service for which the individual, or person on the individual's behalf, has paid for in full.  Covered entities should ensure that appropriate policies are in place for individuals who request restrictions on the use of their PHI, and that business associates are notified of such restrictions.

    The Final Rule also provides that a covered entity must provide an individual with copies of his or her PHI in the form requested (i.e., electronic) if the PHI does in fact exist in that form.  Individuals also have the right under the Final Rules to make a written request that his or her PHI be sent to a third party.

Health Insurance Marketplace

The Affordable Care Act requires employers subject to the Fair Labor Standards Act to provide employees with a written notice describing the Health Insurance Exchange, also known as the Health Insurance Marketplace (the "Marketplace Notice").  This Notice should include information on:

A)    the existence of the Marketplace;

B)    the services provided by the Marketplace;

C)    the tax credits that are available for some employees who purchase coverage through the Marketplace; and

D)    the effect that purchasing coverage through the Marketplace can have on employer contributions and tax savings towards the cost of employer-sponsored coverage.

The deadline for distributing the required Marketplace Notice to all existing employees (not just plan participants) is October 1, 2013.  After that date, new employees must be given the notice at the time they are hired.  The Department of Labor has issued model notices which can be used to satisfy the notice requirement.  One model notice is available for employers that provide group health plan coverage, and one is available for employers that do not provide such coverage.  The Department of Labor's model notices can be found at: http://www.dol.gov/ebsa/pdf/FLSAwithplans.pdf .

COBRA Election Notice

The Department of Labor also has issued a new model COBRA Election Notice to make COBRA qualified beneficiaries aware of their coverage options under the Marketplace and the tax credits that may be available to help pay for coverage purchased through the Marketplace.  The new COBRA Election Notice also makes changes to the language of prior COBRA Election Notices related to pre-existing conditions (which, effective for plan years starting on or after January 1, 2014, will be prohibited in all plans).  There are certain blanks in the model COBRA Election Notice that employers must fill in to make the notice complete.  Although the DOL has not yet indicated when the new COBRA Election Notice must be used, because it references the Marketplace, it would appear that the new COBRA Election Notice should be used after October 1, 2013. The model notice can be found at: http://www.dol.gov/ebsa/modelelectionnotice.doc .

Employers are urged to address these upcoming deadlines soon to ensure compliance with these rules. 

Circular 230 Notice
This advisory contains provisions concerning a federal tax issue or issues. This advisory is not intended or written to be used, and cannot be used, by any taxpayer for the purpose of avoiding penalties that may be imposed on any taxpayer by the Internal Revenue Service. For information about this statement, contact Sherman & Howard L.L.C. or visit our website at


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sherman & Howard L.L.C. | Attorney Advertising

Written by:

Sherman & Howard L.L.C.

Sherman & Howard L.L.C. on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.