Our partner Keith McMurdy posted a timely summary of the requirements of the HIPAA Omnibus Rule for employers and benefit plan sponsors at his Employee Benefits Legal Blog. It is reproduced below:
With all of the attention being paid to compliance with health care reform and the October 1, 2013 exchange notices to employees, the September 23, 2013 HIPAA compliance deadline may have been lost in the shuffle. Employers should recall that earlier this year, HHS issued its final security and privacy regulations that made some real changes to the breach notification rules and the business associate rules and employers should make sure that thee change have been implemented to avoid penalties.
With respect to the privacy rules, a revised Notice of Privacy Practices should be issued to incorporate the new rules related to breaches in the security of protected health information (PHI). Changes that should be included are the notification provisions if a breach occurs and also specific statement that genetic information will not be used. With respect to the Business Associates Agreements, plan sponsors have to make a determination as to whether service providers are now business associates under the new rules, which broaden the definition. Further, they have to make sure that their current business associates (and any new business associates) are themselves HIPAA compliant. It is also a good idea for sponsors to update privacy and practices statements to include the new breach rules and also undertake to train plan employees about the new privacy restrictions.So when considering how to distribute your October 1 exchange notices, take look at your HIPAA privacy notices as well and make sure they are properly updated and distributed as well. If you have questions about the specifics of the HIPAA requirements, don’t hesitate to get the details from your benefits professionals or your attorneys at fox Rothschild.