Final HIPAA Regs require employer changes

This was published at – go there fore additional information. – Reeve
The HIPAA privacy rules restrict the use or disclosure of
protected health information by covered entities – including employer
group health plans – without express authorization, except when
necessary for treatment, payment or health care operations, or certain
other permitted purposes. The privacy rules include standards for
individuals’ privacy rights to understand and control how their health
information is used. The HIPAA security rules set standards to protect
the confidentiality, integrity, and availability of electronic protected
health information. Employers with self-insured group health plans,
including medical, dental, vision, health flexible spending accounts or
health reimbursement arrangements and certain employee assistance
programs, as well as those sponsoring on-site medical clinics or using
data warehousing in conjunction with their group health plans, will have
HIPAA obligations. In general, employers with insured group health
plans that don’t have access to protected health information will have
only limited HIPAA obligations. The final regulations implement the
amendments to HIPAA made by the Health Information Technology for
Economic and Clinical Health Act (the HITECH Act) and the Genetic
Information Nondiscrimination Act (GINA).

Generally, the final regulations:

  • Modify the HIPAA privacy, security, and enforcement rules, to:
    • incorporate increased and tiered monetary penalties and expanded enforcement structure of the HITECH Act
    • make business associates directly liable for compliance with certain privacy and security rules
    • modify the rules for breach notification
    • require modifications to notices of privacy practices
    • strengthen limits on use and sale of protected health information
    • expand rights to electronic copies of health information and
      restrict disclosures to health plans where the individual has paid for
      the treatment
    • adopt additional HITECH Act provisions.
  • Modify the HIPAA privacy rule to strengthen and implement the
    privacy protections for genetic information under GINA There are
    numerous changes in the final rules from earlier interim and proposed
    rules; however, employers will find that the general compliance
    framework for satisfying their HIPAA privacy and security obligations
    was not significantly altered by this recent round of regulatory
    guidance. HHS did not finalize other proposed regulations (published in
    May 2011) affecting accounting for disclosures and access reports.