Did You Do These Critical Steps Before HIPAA’s 9/24 Compliance Deadline?

For those not paying attention, HIPAA was updated several months ago and the deadline for compliance was September 23, 2014. The new HIPAA regulations do not fundamentally change the HIPAA compliance obligations for employers who sponsor HIPAA-covered plans (self-insured group health, dental, vision, pharmacy benefits, and long-term care plans; health care reimbursement flexible spending accounts; employee assistance programs; and health reimbursement arrangements). Nonetheless, employers do need to complete several important tasks to attain compliance.

Business associates (third party administrators, pharmacy benefit managers, and insurance brokers) are for the first time required to comply with the HIPAA Security Rule, many provisions of the HIPAA Privacy Rule, and are subject to direct enforcement actions by the U.S. Dept. of Health and Human Services.

Regardless whether your company is a coverage health plan or a business associate, some of the following critical “to do’s” apply to you:

  1. Implement or Update Security Policies and Procedures:  To reduce the risk of a potentially costly security breach, employers and business associates should implement or update policies and procedures to ensure compliance with the HIPAA Security Rule and to address any significant changes in operational reality since security policies were first implemented or last updated. Employers and business associates also should conduct a risk assessment to confirm that these policies and procedures adequately address and mitigate operational risk.
  2. Enter Into or Update Business Associate Agreements:  Business associates must enter into business associate agreements with their subcontractors. Covered health plans are not required to update their existing business agreements until September 22, 2014; but many of the larger vendors who are business associates are already proposing updated agreements to their covered entity clients. On the bright side, this provides an opportunity to address terms of these agreements with a business impact, such as reimbursement of costs incurred in responding to a security breach caused by a business associate and indemnification for third-party claims.
  3. Update or Implement Privacy Policies and Procedures:  Employers that have previously implemented HIPAA policies and procedures will need to update them to address several regulatory changes like the new standard for determining whether a security breach has occurred and the new procedures applicable to requests by plan participants for access to protected health information (PHI) in electronic form. From a technical legal compliance perspective, business associates do not have a legal duty to implement policies and procedures. As a practical matter, though, business associates cannot meet their complex HIPAA compliance obligations without policies and procedures that provide direction to the business associate’s employees on what they actually need to do to comply with HIPAA.
  4. Update HIPAA Privacy Notices:  Employers were required to update their HIPAA Notice of Privacy Practices by September 23, 2013 to inform participants in HIPAA-covered plans of new rights and new restrictions on the plans’ use of PHI. If the employer has a benefits website, the updated notice must be posted there and distributed to the named insured of each HIPAA-covered plan with the next open enrollment mailing. If the employer does not have a benefits website, the updated notice must be distributed within 60 days of its effective date.
  5. Conduct Training:  Employees need to be informed of the changes to HIPAA regulations that are relevant to their job functions. At the same time, employers and business associates can take advantage of the opportunity to provide refresher training to everyone else.

Matt Austin is a Columbus, Ohio lawyer who owns Austin Legal, LLC, a boutique law firm with offices in central and northeast Ohio that limits its representation to employers dealing with labor, employment, and OSHA matters. Austin Legal’s Concierge Legal Services program is relied upon by companies to remain compliant and competitive. If you have employees, you need Concierge Legal Services. You can call Matt at (614) 285-5342 or email him at Austin@LaborEmploymentOSHA.com.