Employers Take Note: Final HIPAA Rules Mandate New Obligations For Group Health Plans

Also see:

Overview of HIPAA Amendments (Duane Morris Alert, January 29, 2013)

Breach notification under 2013 HIPAA Amendments (Duane Morris Alert, January 25, 2013)

Business associate definition under 2013 HIPAA Amendments (Duane Morris Alert, January 23, 2013)

Minimum necessary standard under HIPAA amendments (Duane Morris Alert, February 11, 2013)

Genetic information under HIPAA amendments (Duane Morris Alert, February 25, 2013)

Group Health Plans

Employers that sponsor group health plans for their employees should pay careful attention to the newly announced final omnibus rule amending the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") in accordance with the HITECH Act of 2009 (the "HITECH Act"). This final rule under the HITECH Act (the "Final Rule") issued on January 17, 2013, impacts group health plans in two significant ways. First, the Final Rule expands the existing definition and obligations of a business associate of a group health plan under HIPAA. In addition, the Final Rule modifies the obligation of a group health plan in regard to breaches of protected health information ("PHI") that is unsecured.

Group health plan sponsors should act now to make changes to existing plan documents, including HIPAA procedures and business associate agreements, in response to the Final Rule. An overview of how HIPAA generally applies in the context of employer-sponsored group health plans and these significant changes impacting group health plans follows.

The Basics: HIPAA and Group Health Plans

A group health plan sponsored by an employer (subject to exceptions for certain plans) is a covered entity under HIPAA. The HIPAA Privacy, Security, Breach Reporting and Enforcement Rules protect PHI received, used, maintained or created by the group health plan as a HIPAA-covered entity. Thus, an employer vis-Ã -vis its role as the sponsor and/or administrator of a group health plan acquires the obligation to comply with HIPAA and the protections HIPAA places on PHI under these HIPAA rules.

What Is PHI? HIPAA defines PHI as all information, including demographic information used or transmitted by a group health plan or a business associate of a group health plan, that identifies an individual or for which there is a reasonable basis to believe the information could be used to identify an individual and which relates to an individual's physical or mental condition; provision of healthcare to an individual; or payment related to the provision of healthcare. From a practical perspective, this broad definition of PHI means that much of the information which commonly comes across a plan administrator's desk or email, or that is orally communicated by an employee to an employer who administers the plan, is protected as PHI under HIPAA. PHI includes information, including but not limited to, an employee's enrollment status in a group health plan; an employee's payments for benefit coverage under a group health plan; and information contained...