New HIPAA regulations for sponsors of group health plans

The U.S. Department of Health and Human Services recently released its final regulations – also known as the “Final Rule” or “Omnibus Rule” – modifying the privacy, security, breach notification and enforcement rules associated with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Final Rule implements a significant number of provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was enacted as part of the American Recovery and Reinvestment Act of 2009 and designed to strengthen the privacy and security of protected health information (PHI).

Although the Final Rule goes into effect March 26, 2013, covered entities, including employee health plans and their business associates and subcontractors, generally have until September 23, 2013, to comply with the new requirements. Special transition rules apply to agreements between covered entities and their business associates that were in effect prior to January 25, 2013, and that are not modified before the September 2013 compliance deadline.

As the law pertains to employers, “covered entities” include group health plans, including medical plans, cafeteria plans and flexible spending accounts, employee assistance programs, wellness programs, or any other employee benefit programs where health-related information on individuals (referred to as “protected health information” or “PHI”) is generated or received. Insurance companies are also considered covered entities for fully insured plans. “Business associates” include consultants and brokers, third-party administrators (TPAs), lawyers, organizations which transmit or access protected health information, and third-party administrators for self-insured plans.


As a result of these Final Rule changes, most employers will be required to update their HIPAA policies and procedures, including privacy notices, disclosure requirements, and other documentation.

Specifically, we suggest that employers:

  1. Identify all plans that generate or use PHI, including group medical plans, wellness programs, healthcare FSAs, and employee assistance programs.
  2. Review the scope of services with vendors to determine whether business associate and subcontractor relationships exist and whether business associate agreements should be put in place.
  3. Revise HIPAA policies and procedures to comply with all of the changes required under the Final Rule.
  4. Revise privacy notices to incorporate the new disclosure requirements and redistribute the notice in accordance with the new guidelines.
  5. Revise forms utilized by individuals to exercise their privacy rights to address changes made by the Final Rule.
  6. Review marketing practices to determine if they will be subject to prior authorization requirements.
  7. Amend existing business associate agreements to comply with the changes under the Final Rule.
This employee benefits law alert has been provided for informational purposes only. It does not provide legal advice, and it is not intended to create a lawyer-client relationship. Readers should not act upon the information in this publication without seeking professional counsel.