The Final HIPAA Rule Has Been Issued: Should Employers Care?

June 17, 2013
Published in the New Hampshire Business Review

Don has been reading about there being new rules in place regarding HIPAA, but he is uncertain as to whether his business needs to comply. How does he determine whether the new rules impact him and, if so, of what should he be aware?

The first thing a company should determine to assess whether this new rule will impact it is whether it is a “covered entity” or “business associate” of a covered entity under  the Health Insurance Portability and Accountability Act (“HIPAA”). Individuals, organizations, and agencies that meet the definition must comply with the Rule’s requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the business associate must also comply. Simply stated, if an entity does not meet the definition of a covered entity or a business associate, it does not need to comply with HIPAA.

Typically, a covered entity is either a healthcare provider, a health plan or a health care clearinghouse. In addition, a healthcare provider (physician, chiropractor, dentist, nursing home, pharmacy) is only required to comply if it transmits information about covered transactions (billing, confirmation of coverage) electronically. If an employer maintains a self-insured health plan which covers more than 50 employees, the plan is a group health plan covered by HIPAA. It is fair to say that most employers who provide health insurance to employees in a traditional insured plan or HMO will not be covered entities simply because they employ people and receive personal health information, for example, in connection with a request for medical leave.

For some time health care providers and health plan administrators who are covered by HIPAA have been discussing and anticipating the release of a final rule by the U.S. Department of Health and Human Services (“HHS”).  HHS described the Rule, officially published on January 25, 2013, as a move to strengthen the privacy and security protections for health information established under HIPAA. The effective date of the Rule is March 26, 2013, while the date by which all covered entities and business associates must comply with most of the provisions of the Rule is September 23, 2013.

The Rule is based on changes that have been made to HIPAA by more recent legislation including the HITECH Act which was a part of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and the Genetic Information Nondiscrimination Act of 2008 (“GINA”).

For those covered entities, primarily employers who self-insure health care, health insurers and healthcare clearinghouses, it is time to review and update policies and procedures. The following compliance action items should be considered:
1. Revise business associate agreements to comply with the Rule.

2. Revise and redistribute your notice of privacy practices regarding (a) a patient’s right to restrict disclosure and to opt out of certain disclosures; (b) the types of uses and disclosures that require individual authorization; (c) right to notice in the event of a breach; and (d) rights regarding the use of genetic information for health plan underwriting.

3. Update security policies for breach notification risk assessments to replace any “harm threshold” analysis with the revised objective standard provided by the Rule.

4. For Business Associates and subcontractors, make sure your privacy and security policies are HIPAA compliant.

5. Also for Business Associates, identify all subcontractors who create, receive, maintain, or transmit protected health information on your behalf and enter into HIPAA compliant business associate agreements with them.

For employers not covered by HIPAA, you can never review too often your privacy and security policies and procedures. Employee medical information (FMLA, ADA, worker’s compensation) should always be kept in a separate confidential medical file for each employee with access restricted to those who have a legitimate need.  Other private information about employees or others with whom a company does business (social security numbers, credit card numbers) should be subject to a Written Information Security Plan (“WISP”) which is required for all residents of Massachusetts (and what New Hampshire company does not employ or do business with Massachusetts residents?) and is considered a necessary best practice for all companies.

In sum, even businesses not subject to HIPAA should carefully consider how it safeguards the private information of their employees and customers. The breaches which result from failure to protect such information adequately can be very costly in terms of financial liability, adverse publicity (remember TJX?) and customer relationships.

Charla Bizios Stevens is a Shareholder and Director in the Employment Practice Group of the McLane Law Firm. She is also the state director for the HR State Council of New Hampshire.  She can be reached at 603-628-1363 or at