Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

The Final HIPAA Rule Has Been Issued: Should Employers Care?

Written by: Charla Bizios Stevens

Published in the New Hampshire Business Review

Don has been reading about there being new rules in place regarding HIPAA, but he is uncertain as to whether his business needs to comply. How does he determine whether the new rules impact him and, if so, of what should he be aware?

The first thing a company should determine to assess whether this new rule will impact it is whether it is a “covered entity” or “business associate” of a covered entity under  the Health Insurance Portability and Accountability Act (“HIPAA”). Individuals, organizations, and agencies that meet the definition must comply with the Rule’s requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the business associate must also comply. Simply stated, if an entity does not meet the definition of a covered entity or a business associate, it does not need to comply with HIPAA.

Typically, a covered entity is either a healthcare provider, a health plan or a health care clearinghouse. In addition, a healthcare provider (physician, chiropractor, dentist, nursing home, pharmacy) is only required to comply if it transmits information about covered transactions (billing, confirmation of coverage) electronically. If an employer maintains a self-insured health plan which covers more than 50 employees, the plan is a group health plan covered by HIPAA. It is fair to say that most employers who provide health insurance to employees in a traditional insured plan or HMO will not be covered entities simply because they employ people and receive personal health information, for example, in connection with a request for medical leave.

For some time health care providers and health plan administrators who are covered by HIPAA have been discussing and anticipating the release of a final rule by the U.S. Department of Health and Human Services (“HHS”).  HHS described the Rule, officially published on January 25, 2013, as a move to strengthen the privacy and security protections for health information established under HIPAA. The effective date of the Rule is March 26, 2013, while the date by which all covered entities and business associates must comply with most of the provisions of the Rule is September 23, 2013.

The Rule is based on changes that have been made to HIPAA by more recent legislation including the HITECH Act which was a part of the American Recovery and Reinvestment Act of 2009 (“ARRA”) and the Genetic Information Nondiscrimination Act of 2008 (“GINA”).

For those covered entities, primarily employers who self-insure health care, health insurers and healthcare clearinghouses, it is time to review and update policies and procedures. The following compliance action items should be considered:
1. Revise business associate agreements to comply with the Rule.

2. Revise and redistribute your notice of privacy practices regarding (a) a patient’s right to restrict disclosure and to opt out of certain disclosures; (b) the types of uses and disclosures that require individual authorization; (c) right to notice in the event of a breach; and (d) rights regarding the use of genetic information for health plan underwriting.

3. Update security policies for breach notification risk assessments to replace any “harm threshold” analysis with the revised objective standard provided by the Rule.

4. For Business Associates and subcontractors, make sure your privacy and security policies are HIPAA compliant.

5. Also for Business Associates, identify all subcontractors who create, receive, maintain, or transmit protected health information on your behalf and enter into HIPAA compliant business associate agreements with them.

For employers not covered by HIPAA, you can never review too often your privacy and security policies and procedures. Employee medical information (FMLA, ADA, worker’s compensation) should always be kept in a separate confidential medical file for each employee with access restricted to those who have a legitimate need.  Other private information about employees or others with whom a company does business (social security numbers, credit card numbers) should be subject to a Written Information Security Plan (“WISP”) which is required for all residents of Massachusetts (and what New Hampshire company does not employ or do business with Massachusetts residents?) and is considered a necessary best practice for all companies.

In sum, even businesses not subject to HIPAA should carefully consider how it safeguards the private information of their employees and customers. The breaches which result from failure to protect such information adequately can be very costly in terms of financial liability, adverse publicity (remember TJX?) and customer relationships.


Charla Bizios Stevens is a Shareholder and Director in the Employment Practice Group of the McLane Law Firm. She is also the state director for the HR State Council of New Hampshire.  She can be reached at 603-628-1363 or at [email protected].

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.