Employee Benefits Update from Cindy Van Bogaert, Partner and Chair of the Employee Benefits Practice Group at Boardman Law Firm LLP. This FYI provides information about new HIPAA (“Health Insurance Portability and Accountability Act”) breach notification requirements for protected health information (“PHI”).
Regulations were issued August 24th regarding notification requirements for breaches of unsecured PHI. The regulations are effective September 23, 2009. The regulations generally affect “covered entities” such as employer health plans (e.g., medical, dental, vision, and health flexible spending accounts) and their business associates under the HIPAA privacy and security rules.
Under the new regulations, certain breaches of unsecured PHI that may cause financial, reputational, or other harm to an individual must be reported to the individual and to the Federal government. Covered entities will need to determine if the breach falls under an exception under the rule, evaluate whether the affected PHI was “unsecured” within the meaning of the regulation, assess whether the HIPAA privacy rule was violated, and conduct a risk assessment to determine if there is a significant risk of financial, reputational, or other harm to the individual. If the breach meets the standards, covered entities must notify the individual and the Department of Health and Human Services of the breach. If the breach involves more than 500 residents of a State or jurisdiction, covered entities also must notify media outlets. A covered entity is required to train its workforce with respect to the new breach notice requirements, provide for a complaint procedure, set up breach notification policies and procedures, and meet other requirements in the new regulations.
Employers with group health plans should act now to:
– Update written HIPAA policies and procedures.
– Revise business associate agreements.
– Conduct training (for one training option, see “HIPAA Privacy Training Seminars” below).