The recently released final regulations modify HIPAA Privacy, Security, Breach Notification and Enforcement Rules.
The modifications affect all group health plans and business associates (firms like your broker/consultant, TPA and other record-keepers and advisers). Collectively known as “covered entities” affected plans and organizations are subject to new and revised HIPAA privacy and security regulations and are exposed to potential expanded liability. Penalties can extend to $50,000 for each violation, and up to $1.5 million for all violations.
Don’t just think that because your group health plan is fully insured that you are off the hook. If you have a self-funded prescription drug plan, healthcare FSA, wellness program, or EAP you may generate or receive individually identifiable health information and are subject to HIPAA and all of its requirements.
The new requirements are effective March 26, 2013 and some covered entities must be compliant as early as September 23, 2013.
If your advisors haven’t already contacted you regarding executing an updated business associate agreement, it’s critical you contact them immediately.
Additionally, to ensure compliance with the new rules, consider performing a risk assessment to determine your current level of compliance with the expanded regulations. ComplianceBug has online tools to assist employers and their advisers comply with the law and take the steps necessary to update their policies, procedures, documents and notifications.