If You Maintain a Group Health Plan for Your Employees, Then You May be Required to Update Your HIPAA Compliance Documents by September 23, 2013

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) treats an employer-sponsored group health plan as a “covered entity” that must comply with the Privacy and Security Rules, which originally became effective April 23, 2003. The Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act of 2009, made significant changes to the HIPAA Privacy and Security Rules. Early this year, the Department of Health and Human Services issued final regulations under HITECH, which requires most employer-sponsored group health plans to update their HIPAA Privacy and Security compliance materials no later than September 23, 2013.

Changes made by HITECH and the final regulations include notice obligations in the event of prohibited disclosures of protected health information; compulsory obligations and liabilities of business associates and their subcontractors; modified disclosure requirements under the notice of privacy practice; enhanced individual rights regarding access to, accounting of, and restrictions on protected health information; limitations on use of genetic information for underwriting purposes; revised provisions relating to sale or marketing of protected health information; and compliance and enforcement changes by the Department of HHS.

The level of responsibility and HIPAA compliance efforts may vary from one employer to the next depending on the employer’s group health plan design (such as the funding mechanism as a fully-insured arrangement through an insurance carrier or self-insured arrangement through the employer’s general assets) and/or the level of employer involvement in administering the plan and thus receiving and maintaining protected health information about plan participants. At a minimum, we recommend that all employers sponsoring a group health plan have a discussion with their attorney or other advisor to determine what action they should take to ensure compliance with HITECH and the final regulations. This action may include formally amending the health plan document and employer certification, revising the plan’s HIPAA written policies and procedures and notice of privacy practice, entering into new business associate agreements with plan vendors and holding new training session for its workforce members regarding the new rules.

Dykema regularly assists employers with HIPAA compliance analysis and audits, preparation of HIPAA compliance materials as well as conducting HIPAA training sessions. To learn more about these changes or our HIPAA services, please contact Amy M. Christen (achristen@dykema.com or 248-203-0760) or Gabe Marinaro (gmarinaro@dykema.comor 313-568-6874) or any of the HIPAA Compliance attorneys listed to the left.

---

_{As part of our service to you, we regularly compile short reports on new and interesting developments in our business services program. Please recognize that these reports do not constitute legal advice and that we do not attempt t cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments on this newsletter, or any Dykema publication, are always welcome. © 2013 Dykema Gossett PLLC.}