The deadline to comply with the HIPAA Omnibus Final Rule is fast approaching. The final rule modifies HIPAA privacy, security, enforcement, and breach notifications rules and implements statutory amendments to HIPAA made by the Health Information Technology for Economical Clinical Health (HITECH) Act and the Genetic Information Nondiscrimination Act (GINA). The final rule became effective March 26, 2013, but covered entities and business associates were given until September 23, 2013 to comply.
HIPAA compliance for health plans is broader than some plan sponsors initially suspected. A “health plan” is defined as any plan that provides or pays for the cost of medical care. In addition to traditional medical plans, other plans may be governed by HIPAA, including health flexible-spending accounts, health-reimbursement accounts, and certain wellness and employee assistance programs. The extent of a plan sponsor’s privacy and security obligations varies depending on whether the plan is fully insured or self-insured and whether the plan has access to protected health information (PHI) for plan administration.
Plan sponsors should review whether they have made all of the necessary changes to their HIPAA compliance program including revisions to their Notice of Privacy Practices, privacy and security policies, breach investigation and notification policy and procedures, business associate agreements, and workforce training.
An article in our April Bulletin provides more detail on these changes. And please join us for our upcoming HIPAA class on October 18, 2013.